cbcvebase.
CVE-2021-31474
published 2021-05-21

CVE-2021-31474: This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
94.43%
99.8th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213.

Affected

2 ranges
VendorProductVersion rangeFixed in
solarwindsnetwork_performance_monitor
solarwindsnetwork_performance_monitor>= 2020.2.1 < 2020.2.52020.2.5

Detection & IOCsextracted from sources · hover to see the quote

url/api/Action/TestAction
snort
alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/Action/TestAction"; fast_pattern; http.request_body; content:"$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib"; content:"$value|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:cve,2021-31474; classtype:attempted-admin; sid:2033035; rev:1; metadata:attack_target Server, created_at 2021_05_27, cve CVE_2021_31474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_05_27;)
bytes
$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib
bytes
$value|22 3a 20 22|
  • Exploit traffic arrives as an unauthenticated inbound HTTP POST to /api/Action/TestAction; no authentication headers are required.
  • Request body contains a JSON deserialization payload with '$type' set to 'System.Byte[], mscorlib' and a Base64-encoded '$value' field — inspect HTTP POST bodies to this endpoint for these patterns.
  • The Base64-encoded value field immediately follows the '$value' key; a PCRE match on standard Base64 alphabet (with optional padding) in the request body is a strong indicator of exploit delivery.
  • Exploitation results in code execution as SYSTEM; monitor for child processes spawned by the SolarWinds service account with SYSTEM privileges following POST requests to the target endpoint.
  • Rule is recommended for Perimeter, Internal, and SSLDecrypt deployment contexts — SSL inspection is required to detect this exploit on TLS-protected SolarWinds instances.
  • ·The Snort/Suricata rule targets $HOME_NET and $HTTP_SERVERS on any port; ensure SolarWinds Orion's actual listening port(s) are included in these variables for accurate coverage.
  • ·The rule carries 'confidence Medium'; Base64-encoded POST bodies to /api/Action/TestAction may produce false positives from legitimate SolarWinds API calls — tune with additional context (e.g., source IP reputation, frequency).
  • ·SSL/TLS decryption must be in place for this rule to fire on encrypted traffic; without it, the HTTP request body will not be inspectable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.