cbcvebase.
CVE-2024-0692
published 2024-03-01

CVE-2024-0692: The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse…

PriorityP188high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.56%
99.8th percentile
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
solarwindssecurity_event_manager< 2023.4.12023.4.1
solarwindssecurity_event_manager

Detection & IOCsextracted from sources · hover to see the quote

url/services/messagebroker/streamingamf
otherapplication/x-amf
  • Probe for the vulnerable AMF endpoint by sending a POST to /services/messagebroker/streamingamf with Content-Type: application/x-amf; a vulnerable instance returns HTTP 200 with Content-Type containing 'application/x-amf' and body containing 'AMF version'.
  • Confirm target is SolarWinds SEM by checking /webui/ response body for the string 'SolarWinds Security Event Manager' before attempting exploitation.
  • Detection condition: HTTP 200 response, Content-Type header contains 'application/x-amf', and body contains 'AMF version' — all three must be true simultaneously.
  • FOFA fingerprinting query to identify exposed SolarWinds SEM instances: title="SolarWinds Security Event Manager"
  • The vulnerability is rooted in insecure deserialization (CWE-502) over the AMF (Action Message Format) streaming endpoint, exploitable by unauthenticated adjacent-network attackers.
  • ·Attack vector is Adjacent Network (AV:A), meaning the attacker must be on the same network segment — not directly exploitable from the open internet in standard configurations.
  • ·Very high EPSS score (0.78297, 99th percentile) indicates this vulnerability is actively being exploited or has high exploitation probability in the wild — prioritize patching.
  • ·Affects all SolarWinds Security Event Manager versions prior to 2023.4.1; the fix is to upgrade to version 2023.4.1 or later.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.