cbcvebase.
CVE-2019-8917
published 2019-02-18

CVE-2019-8917: SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
36.45%
98.3th percentile
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user.

Affected

1 ranges
VendorProductVersion rangeFixed in
solarwindsorion_network_performance_monitor< 12.412.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable service is OrionModuleEngine, which exposes a NetTcpBinding WCF endpoint allowing unauthenticated remote clients to call public methods — monitor for unexpected remote NetTcpBinding connections to this service.
  • The specific abused method is InvokeActionMethod on the OrionModuleEngine service — look for invocations of this method from unexpected or unauthenticated remote sources resulting in SYSTEM-level process execution.
  • ·Vulnerability affects SolarWinds Orion NPM versions before 12.4 only — patch to 12.4 or later to remediate.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.