cbcvebase.
CVE-2022-38108
published 2022-10-20

CVE-2022-38108: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account…

PriorityP272high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
69.55%
99.3th percentile
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Affected

6 ranges
VendorProductVersion rangeFixed in
solarwindsorion_platform< 2020.2.62020.2.6
solarwindsorion_platform
solarwindsorion_platform
solarwindsorion_platform
solarwindsorion_platformunspecified – 2020.2.6 HF5 and prior versions
solarwindssolarwinds_platformunspecified – 2022.3 and prior versions

Detection & IOCsextracted from sources · hover to see the quote

port5671
  • Monitor AMQP message queue traffic (typically port 5671/5672) for crafted messages containing serialized .NET objects originating from authenticated but unauthorized or suspicious users targeting the SolarWinds Information Service (SWIS).
  • Alert on unexpected child processes spawned by the SolarWinds Information Service (SWIS) process running as NT AUTHORITY\SYSTEM, which may indicate successful .NET deserialization RCE exploitation.
  • Detect exploitation attempts via the SolarWinds Web Console by monitoring for Orion admin-level account activity that triggers deserialization of untrusted data payloads.
  • ·Exploitation requires valid authentication to the AMQP service; restrict AMQP access to trusted hosts only and enforce strong credential controls for Orion admin accounts.
  • ·The attack vector requires Orion admin-level account access to the SolarWinds Web Console, meaning compromised or insider admin credentials are a prerequisite for exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.