CVE-2019-3980
published 2019-10-08CVE-2019-3980: The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.18%
91.4th percentile
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | dameware_mini_remote_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of dwDrvInst.exe in C:\Windows\Temp\ — this is the dropped payload path used by exploitation of CVE-2019-3980 via the DWRCS.exe smart card authentication code path. ↗
- →Alert on any process spawned by DWRCS.exe running under the Local System account, especially unexpected child processes, as exploitation results in arbitrary code execution under Local System. ↗
- →Detect unauthenticated smart card login requests to DWRCS.exe from external/untrusted sources — the attack vector abuses the smart card authentication flow to upload and execute files without prior authentication. ↗
- ·Smart card authentication is enabled by default in the affected agent, meaning the vulnerable code path is active out-of-the-box without any additional configuration by the administrator. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9qx2-7jwx-q6pj: The Solarwinds Dameware Mini Remote Client agent v12
ghsa_unreviewed·2022-05-24
CVE-2019-3980 [CRITICAL] CWE-20 GHSA-9qx2-7jwx-q6pj: The Solarwinds Dameware Mini Remote Client agent v12
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.
VulnCheck
SolarWinds dameware_mini_remote_control Origin Validation Error
vulncheck·2019·CVSS 9.8
CVE-2019-3980 [CRITICAL] SolarWinds dameware_mini_remote_control Origin Validation Error
SolarWinds dameware_mini_remote_control Origin Validation Error
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.
Affected: SolarWinds dameware_mini_remote_control
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://rt-solar.ru/solar-4rays/blog/5202/; https://rt-solar.ru/upload/iblock/6ac/gz6fmv0g5vdpft8jqajftydyki07y75k/v3_For_Public_Release_KHroniki_DFIR_v_2024_godu_vs_2023-_2
No detection rules found.
No public exploits indexed.
Tenable
SolarWinds Dameware Mini Remote Control Unauthenticated RCE
blogs_tenable·2019-09-30
SolarWinds Dameware Mini Remote Control Unauthenticated RCE
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2019-10-08
Published
Exploited in the wild