CVE-2020-10148
published 2020-12-29CVE-2020-10148: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
91.98%
99.8th percentile
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | orion_platform | — | — |
| solarwinds | orion_platform | — | — |
| solarwinds | orion_platform | — | — |
| solarwinds | orion_platform | — | — |
| solarwinds | orion_platform | — | — |
| solarwinds | orion_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
id: CVE-2020-10148 — matchers: body words: ["SolarWinds.Orion.Core.", "Connection String"]; header words: ["text/plain"]; status: 200
- →Exploit requests target .i18n.ashx endpoints (web.config.i18n.ashx and SWNetPerfMon.db.i18n.ashx) with arbitrary 'l' and 'v' query parameters to bypass authentication on the SolarWinds Orion API. ↗
- →Successful exploitation returns HTTP 200 with Content-Type: text/plain and body containing 'SolarWinds.Orion.Core.' or 'Connection String' — monitor for these response characteristics on .ashx endpoints. ↗
- →SUPERNOVA web shell (App_Web_logoimagehandler.ashx.b6031896.dll) was deployed approximately 30 minutes after post-exploitation reconnaissance commands, suggesting scan-and-exploit triage activity — monitor for rapid sequential recon commands followed by DLL drops.
- ·Affected versions are specifically SolarWinds Orion Platform 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 — detections should be scoped to these versions to reduce false positives. ↗
- ·The nuclei template uses stop-at-first-match across both .ashx probe paths, meaning only one request may be logged per scan attempt — network detection rules should account for either path independently. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7c8f-5r89-mjgx: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands
ghsa_unreviewed·2022-05-24
CVE-2020-10148 [CRITICAL] CWE-287 GHSA-7c8f-5r89-mjgx: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
VulnCheck
SolarWinds Orion Authentication Bypass Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-10148 [CRITICAL] CWE-288 SolarWinds Orion Authentication Bypass Vulnerability
SolarWinds Orion Authentication Bypass Vulnerability
SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.
Affected: SolarWinds Orion
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cisa.gov/news-events/analysis-reports/ar21-112a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-19&host_type=src&vulnerability=cve-2020-10148; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_type=src&vulnerability=cve-2020-10148; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type
CISA
SolarWinds Orion Authentication Bypass Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-10148 [CRITICAL] CWE-288 SolarWinds Orion Authentication Bypass Vulnerability
Vulnerability: SolarWinds Orion Authentication Bypass Vulnerability
Affected: SolarWinds Orion
SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-10148
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config) (CVE-2020-10148)
suricata·2020-12-29·CVSS 9.8
CVE-2020-10148 [CRITICAL] ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config) (CVE-2020-10148)
ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config) (CVE-2020-10148)
Rule: alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web.config.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031459; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, cve CVE_2020_10148, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_09_09;)
Suricata
ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)
suricata·2020-12-29·CVSS 9.8
CVE-2020-10148 [CRITICAL] ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)
ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)
Rule: alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/SWNetPerfMon.db.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, cve CVE_2020_10148, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_09_09;)
Nuclei
SolarWinds Orion Security Checks
nuclei·CVSS 6.1
CVE-2018-19386 [MEDIUM] SolarWinds Orion Security Checks
SolarWinds Orion Security Checks
A simple workflow that runs all SolarWinds Orion related nuclei templates on a given target.
Template:
id: solarwinds-orion-workflow
info:
name: SolarWinds Orion Security Checks
author: dwisiswant0
description: A simple workflow that runs all SolarWinds Orion related nuclei templates on a given target.
workflows:
- template: http/exposed-panels/solarwinds-orion.yaml
subtemplates:
- template: http/cves/2018/CVE-2018-19386.yaml
- template: http/cves/2020/CVE-2020-10148.yaml
- template: http/default-logins/solarwinds/
Nuclei
SolarWinds Orion API - Auth Bypass
nuclei·CVSS 9.8
CVE-2020-10148 [CRITICAL] SolarWinds Orion API - Auth Bypass
SolarWinds Orion API - Auth Bypass
SolarWinds Orion API is vulnerable to an authentication bypass vulnerability that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Template:
id: CVE-2020-10148
info:
name: SolarWinds Orion API - Auth Bypass
author: dwisiswant0
severity: critical
description: |
SolarWinds Orion API is vulnerable to an authentication bypass vulnerability that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute
Wiz
What Is Application Security Testing? | Wiz
blogs_wiz·2025-02-28·CVSS 9.8
[CRITICAL] What Is Application Security Testing? | Wiz
Application security testing (AST) is a set of processes designed to detect and address security gaps during the early phases of the software development lifecycle (SDLC) . In other words, teams take steps in pre-production to identify and mitigate risks before applications are released into operational environments. By integrating application security testing into existing workflows, teams can catch issues early, avoid duplicating efforts, and reduce costly inefficiencies that come up when vulnerabilities surface after deployment.
That said, application security testing can feel like one more thing to keep track of. As the line between development and operations gets narrower, modern development teams often wear multiple hats: innovating, building features, using containerization, and wr
Wiz
What Is Application Security Testing? | Wiz
blogs_wiz·2025-02-28·CVSS 9.8
[CRITICAL] What Is Application Security Testing? | Wiz
Application security testing (AST) is a set of processes designed to detect and address security gaps during the early phases of the software development lifecycle (SDLC). In other words, teams take steps in pre-production to identify and mitigate risks before applications are released into operational environments. By integrating application security testing into existing workflows, teams can catch issues early, avoid duplicating efforts, and reduce costly inefficiencies that come up when vulnerabilities surface after deployment.
That said, application security testing can feel like one more thing to keep track of. As the line between development and operations gets narrower, modern development teams often wear multiple hats: innovating, building features, using containerization, and wri
Qualys
Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls
blogs_qualys·2022-08-23
Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls
## Table of Contents
Why Are Zero-Day Attacks/Exploits so Dangerous?
How Qualys Policy Compliance Helps Combat Zero-Day Threats
Benefit of Qualys Policy Compliance for Zero-Day Threats
Summary
Getting Started
Contributors
Zero-day vulnerability attacks have emerged as a major cybersecurity threat in the last few years. Organizations most often targeted include large enterprises and government/Federal agencies. However, any organization, regardless of its size, business, or industry, is a potential target for zero-day threats.
Most notably, already publicly disclosed. This means that one out of every four zero-day exploits detected could potentially have been avoided if a more thorough investigation and patching effort had been pursued. In 2021, around 58 zero-day vulnerabilities we
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
Solorigate: SolarWinds Orion Platform Contained a Backdoor Since March 2020 (SUNBURST)
blogs_tenable·2020-12-14
Solorigate: SolarWinds Orion Platform Contained a Backdoor Since March 2020 (SUNBURST)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Threat Intel
BRONZE SPIRAL
threat_intel·CVSS 9.8
CVE-2020-10148 [CRITICAL] BRONZE SPIRAL
# Threat Actor: BRONZE SPIRAL
## Description
In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credenti
2020-12-29
Published
2021-11-03
Added to CISA KEV
Exploited in the wild