cbcvebase.
CVE-2020-14005
published 2020-06-24

CVE-2020-14005: Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
14.33%
96.2th percentile
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event.

Affected

2 ranges
VendorProductVersion rangeFixed in
solarwindsorion_network_performance_monitor
solarwindsorion_web_performance_monitor

Detection & IOCsextracted from sources · hover to see the quote

hash019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
hash2f1a5a7411d015d01aaee4535835400191645023
hashc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
hash75af292f34789a1c782ea36c7127bf6106f595e8
hashce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
hashd130bd75645c2433f88ac03e73395fba172ef676
hash32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
hash76640508b1e7759e548771a5359eaed353bf1eec
hashd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
hash1b476f58ca366b54f34d714ffce3fd73cc30db1a
domainavsvmcloud[.]com
domaindatabasegalore[.]com
domaindeftsecurity[.]com
domainhighdatabase[.]com
domainincomeupdate[.]com
domainpanhardware[.]com
domainthedoccloud[.]com
domainzupertech[.]com
domain{random strings}.appsync-api.{subdomain}.avsvmcloud.com
  • Sunburst checks the process name hash and a registry key for specific values before executing; detections should look for these pre-execution checks.
  • Sunburst only executes 12 or more days after initial infection and only on domain-joined systems; behavioral detections should account for this delayed activation on domain-joined hosts.
  • Sunburst C2 domains follow the pattern: {random strings}.appsync-api.{eu-west-1|eu-west-2|us-east-1|us-east-2}.avsvmcloud.com — use this pattern for DNS/network detection.
  • Supernova is a .NET web shell that inspects HTTP requests with specific query strings, cookies, and HTML form values; monitor for anomalous HTTP requests to SolarWinds web service handlers matching this pattern.
  • Sunburst checks for specific drivers, processes, or services and ceases operation if found; defenders can use this blocklist behavior as a detection opportunity by monitoring for enumeration of drivers/processes/services by the SolarWinds process.
  • CVE-2020-14005, when combined with other vulnerabilities, allows an unauthenticated attacker to execute arbitrary code as Administrator on SolarWinds Orion; prioritize detection of unauthenticated RCE attempts against Orion web console endpoints.
  • ·Sunburst was delivered via a trojanized SolarWinds Orion build (not via source code compromise); affected versions were downloaded between March and June 2020 by under 18,000 customers.
  • ·The malicious code was inserted during the build process, not in the source code repository, meaning standard source integrity checks would not have detected the compromise.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.