CVE-2024-0692
published 2024-03-01CVE-2024-0692: The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse…
PriorityP188high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.56%
99.8th percentile
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | security_event_manager | < 2023.4.1 | 2023.4.1 |
| solarwinds | security_event_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/services/messagebroker/streamingamf
otherapplication/x-amf
- →Probe for the vulnerable AMF endpoint by sending a POST to /services/messagebroker/streamingamf with Content-Type: application/x-amf; a vulnerable instance returns HTTP 200 with Content-Type containing 'application/x-amf' and body containing 'AMF version'.
- →Confirm target is SolarWinds SEM by checking /webui/ response body for the string 'SolarWinds Security Event Manager' before attempting exploitation.
- →Detection condition: HTTP 200 response, Content-Type header contains 'application/x-amf', and body contains 'AMF version' — all three must be true simultaneously.
- →FOFA fingerprinting query to identify exposed SolarWinds SEM instances: title="SolarWinds Security Event Manager"
- →The vulnerability is rooted in insecure deserialization (CWE-502) over the AMF (Action Message Format) streaming endpoint, exploitable by unauthenticated adjacent-network attackers. ↗
- ·Attack vector is Adjacent Network (AV:A), meaning the attacker must be on the same network segment — not directly exploitable from the open internet in standard configurations. ↗
- ·Very high EPSS score (0.78297, 99th percentile) indicates this vulnerability is actively being exploited or has high exploitation probability in the wild — prioritize patching.
- ·Affects all SolarWinds Security Event Manager versions prior to 2023.4.1; the fix is to upgrade to version 2023.4.1 or later.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3fj5-f9x9-2hvx: The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability
ghsa_unreviewed·2024-03-01
CVE-2024-0692 [HIGH] CWE-502 GHSA-3fj5-f9x9-2hvx: The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
VulnCheck
SolarWinds security_event_manager Deserialization of Untrusted Data
vulncheck·2024·CVSS 8.8
CVE-2024-0692 [HIGH] SolarWinds security_event_manager Deserialization of Untrusted Data
SolarWinds security_event_manager Deserialization of Untrusted Data
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
Affected: SolarWinds security_event_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-0692; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-23&host_type=src&vulnerability=cve-2024-0692; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-25&host_type=src&v
No detection rules found.
Nuclei
SolarWinds Security Event Manager - Unauthenticated RCE
nuclei·CVSS 8.8
CVE-2024-0692 [HIGH] SolarWinds Security Event Manager - Unauthenticated RCE
SolarWinds Security Event Manager - Unauthenticated RCE
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
Template:
id: CVE-2024-0692
info:
name: SolarWinds Security Event Manager - Unauthenticated RCE
author: DhiyaneshDK
severity: high
description: |
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
impact: |
Unauthenticated attackers on the adjacent network can execute arbitrary code remotely on the SolarWinds Security Event Manager, leading to complete system compromis
https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2023-4-1_release_notes.htmhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2024-0692https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2023-4-1_release_notes.htmhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2024-0692
2024-03-01
Published
Exploited in the wild