CVE-2021-31474
published 2021-05-21CVE-2021-31474: This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
94.43%
99.8th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | network_performance_monitor | — | — |
| solarwinds | network_performance_monitor | >= 2020.2.1 < 2020.2.5 | 2020.2.5 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/Action/TestAction
snort
alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/Action/TestAction"; fast_pattern; http.request_body; content:"$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib"; content:"$value|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:cve,2021-31474; classtype:attempted-admin; sid:2033035; rev:1; metadata:attack_target Server, created_at 2021_05_27, cve CVE_2021_31474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_05_27;)bytes
$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib
bytes
$value|22 3a 20 22|
- →Exploit traffic arrives as an unauthenticated inbound HTTP POST to /api/Action/TestAction; no authentication headers are required. ↗
- →Request body contains a JSON deserialization payload with '$type' set to 'System.Byte[], mscorlib' and a Base64-encoded '$value' field — inspect HTTP POST bodies to this endpoint for these patterns.
- →The Base64-encoded value field immediately follows the '$value' key; a PCRE match on standard Base64 alphabet (with optional padding) in the request body is a strong indicator of exploit delivery.
- →Exploitation results in code execution as SYSTEM; monitor for child processes spawned by the SolarWinds service account with SYSTEM privileges following POST requests to the target endpoint. ↗
- →Rule is recommended for Perimeter, Internal, and SSLDecrypt deployment contexts — SSL inspection is required to detect this exploit on TLS-protected SolarWinds instances.
- ·The Snort/Suricata rule targets $HOME_NET and $HTTP_SERVERS on any port; ensure SolarWinds Orion's actual listening port(s) are included in these variables for accurate coverage.
- ·The rule carries 'confidence Medium'; Base64-encoded POST bodies to /api/Action/TestAction may produce false positives from legitimate SolarWinds API calls — tune with additional context (e.g., source IP reputation, frequency).
- ·SSL/TLS decryption must be in place for this rule to fire on encrypted traffic; without it, the HTTP request body will not be inspectable.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)
suricata·2021-05-27·CVSS 9.8
CVE-2021-31474 [CRITICAL] ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)
ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/Action/TestAction"; fast_pattern; http.request_body; content:"$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib"; content:"$value|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:cve,2021-31474; classtype:attempted-admin; sid:2033035; rev:1; metadata:attack_target Server, created_at 2021_05_27, cve CVE_2021_31474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_
No public exploits indexed.
Trendmicro
Finding Deserialization Bugs in the SolarWinds Platform
blogs_trendmicro·2023-09-21·CVSS 7.2
[HIGH] Finding Deserialization Bugs in the SolarWinds Platform
## Finding Deserialization Bugs in the SolarWinds Platform
How to find deserialization bugs in the SolarWinds platform.
By: Zero Day Initiative Sep 21, 2023 Read time: ( words)
Save to Folio
It’s been a while since I have written a blog post, please accept my sincerest apologies. This is because a lot of fun stuff that I’ve recently done is going to be presented during conferences.
Please treat this post as a small introduction to my upcoming Hexacon 2023 talk titled “Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization”. The entire talk and research was inspired by two small research projects, one of which focused on issues in SolarWinds deserialization.
In this blog post, I would like to present four old vulnerabilities that were fixe
Trendmicro
Finding Deserialization Bugs in the SolarWinds Platform
blogs_trendmicro·2023-09-21·CVSS 7.2
[HIGH] Finding Deserialization Bugs in the SolarWinds Platform
# Finding Deserialization Bugs in the SolarWinds Platform
How to find deserialization bugs in the SolarWinds platform.
By: Zero Day Initiative
2023/09/21
Read time: ( words)
Save to Folio
It’s been a while since I have written a blog post, please accept my sincerest apologies. This is because a lot of fun stuff that I’ve recently done is going to be presented during conferences.
Please treat this post as a small introduction to my upcoming Hexacon 2023 talk titled “Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization”. The entire talk and research was inspired by two small research projects, one of which focused on issues in SolarWinds deserialization.
In this blog post, I would like to present four old vulnerabilities that were fixed
Trendmicro
Finding Deserialization Bugs in the SolarWinds Platform
blogs_trendmicro·2023-09-21·CVSS 7.2
[HIGH] Finding Deserialization Bugs in the SolarWinds Platform
## Finding Deserialization Bugs in the SolarWinds Platform
How to find deserialization bugs in the SolarWinds platform.
By: Zero Day Initiative 2023/09/21 Read time: ( words)
Save to Folio
It’s been a while since I have written a blog post, please accept my sincerest apologies. This is because a lot of fun stuff that I’ve recently done is going to be presented during conferences.
Please treat this post as a small introduction to my upcoming Hexacon 2023 talk titled “Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization”. The entire talk and research was inspired by two small research projects, one of which focused on issues in SolarWinds deserialization.
In this blog post, I would like to present four old vulnerabilities that were fixed
https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2020-2-5_release_notes.htmhttps://www.zerodayinitiative.com/advisories/ZDI-21-602/https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2020-2-5_release_notes.htmhttps://www.zerodayinitiative.com/advisories/ZDI-21-602/
2021-05-21
Published