CVE-2020-14005
published 2020-06-24CVE-2020-14005: Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
14.33%
96.2th percentile
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | orion_network_performance_monitor | — | — |
| solarwinds | orion_web_performance_monitor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Sunburst checks the process name hash and a registry key for specific values before executing; detections should look for these pre-execution checks. ↗
- →Sunburst only executes 12 or more days after initial infection and only on domain-joined systems; behavioral detections should account for this delayed activation on domain-joined hosts. ↗
- →Sunburst C2 domains follow the pattern: {random strings}.appsync-api.{eu-west-1|eu-west-2|us-east-1|us-east-2}.avsvmcloud.com — use this pattern for DNS/network detection. ↗
- →Supernova is a .NET web shell that inspects HTTP requests with specific query strings, cookies, and HTML form values; monitor for anomalous HTTP requests to SolarWinds web service handlers matching this pattern. ↗
- →Sunburst checks for specific drivers, processes, or services and ceases operation if found; defenders can use this blocklist behavior as a detection opportunity by monitoring for enumeration of drivers/processes/services by the SolarWinds process. ↗
- →CVE-2020-14005, when combined with other vulnerabilities, allows an unauthenticated attacker to execute arbitrary code as Administrator on SolarWinds Orion; prioritize detection of unauthenticated RCE attempts against Orion web console endpoints. ↗
- ·Sunburst was delivered via a trojanized SolarWinds Orion build (not via source code compromise); affected versions were downloaded between March and June 2020 by under 18,000 customers. ↗
- ·The malicious code was inserted during the build process, not in the source code repository, meaning standard source integrity checks would not have detected the compromise. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Trendmicro
Overview of Recent Sunburst Targeted Attacks
blogs_trendmicro·2020-12-15·CVSS 8.8
[HIGH] Overview of Recent Sunburst Targeted Attacks
## Overview of Recent Sunburst Targeted Attacks
Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain via a compromised network monitoring program. This post discusses what the Sunburst backdoor is and what you can do now to mitigate this threat.
By: Trend Micro 2020/12/15 Read time: ( words)
Save to Folio
Update on 12/29/2020 2:40 PM PST: Information on Supernova added
Update on 1/22/2021 4:56 PM PST: Trend Micro's Zero-Day Initiative (ZDI) provided technical analysis of recently patched vulnerabilities in the SolarWinds Orion Platform. CVE-2020-14005, one of these vulnerabilities, has been linked to the recent SUNBURST cyberattack on SolarWinds. These vulnerabilities, when combined, could allow an unauthenticated attacker to execu
Trendmicro
Overview of Recent Sunburst Targeted Attacks
blogs_trendmicro·2020-12-15·CVSS 8.8
[HIGH] Overview of Recent Sunburst Targeted Attacks
## Overview of Recent Sunburst Targeted Attacks
Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain via a compromised network monitoring program. This post discusses what the Sunburst backdoor is and what you can do now to mitigate this threat.
By: Trend Micro Dec 15, 2020 Read time: ( words)
Save to Folio
Update on 12/29/2020 2:40 PM PST: Information on Supernova added
Update on 1/22/2021 4:56 PM PST: Trend Micro's Zero-Day Initiative (ZDI) provided technical analysis of recently patched vulnerabilities in the SolarWinds Orion Platform. CVE-2020-14005, one of these vulnerabilities, has been linked to the recent SUNBURST cyberattack on SolarWinds. These vulnerabilities, when combined, could allow an unauthenticated attacker to exe
Trendmicro
Overview of Recent Sunburst Targeted Attacks
blogs_trendmicro·2020-12-15·CVSS 8.8
[HIGH] Overview of Recent Sunburst Targeted Attacks
# Overview of Recent Sunburst Targeted Attacks
Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain via a compromised network monitoring program. This post discusses what the Sunburst backdoor is and what you can do now to mitigate this threat.
By: Trend Micro
2020/12/15
Read time: ( words)
Save to Folio
Update on 12/29/2020 2:40 PM PST: Information on Supernova added
Update on 1/22/2021 4:56 PM PST: Trend Micro's Zero-Day Initiative (ZDI) provided technical analysis of recently patched vulnerabilities in the SolarWinds Orion Platform. CVE-2020-14005, one of these vulnerabilities, has been linked to the recent SUNBURST cyberattack on SolarWinds. These vulnerabilities, when combined, could allow an unauthenticated attacker to execu
https://gist.github.com/alert3/c9dcce5474e55f408c93c086c30cdbb7https://www.zerodayinitiative.com/advisories/ZDI-21-063/https://www.zerodayinitiative.com/advisories/ZDI-21-065/https://gist.github.com/alert3/c9dcce5474e55f408c93c086c30cdbb7https://www.zerodayinitiative.com/advisories/ZDI-21-063/https://www.zerodayinitiative.com/advisories/ZDI-21-065/
2020-06-24
Published