SolarWinds has patched five remote code execution (RCE) vulnerabilities in its Access Rights Manager software, three of which are rated critical.
The bugs were discovered and reported by Trend Micro’s Zero Day Initiative (ZDI).
The software lets users manage and audit access to Microsoft resources like Active Directory, Azure Active Directory, Exchange, SharePoint, OneDrive, and file servers.
According to SolarWinds’ advisory, CVE-2023-40057 is a bug in how the software handles deserialisation of untrusted data.
“If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution,” the advisory said.
The other two critical bugs are CVE-2024-23476 and CVE-2024-23479. Both are directory traversal bugs, and are exploitable by unauthenticated attackers.
Two more bugs reported through ZDI, with a “high” severity rating, are CVE-2024-23477 (a directory traversal bug) and CVE-2024-23478 (a deserialisation bug).
The vulnerabilities are patched in Access Rights Manager 2023.2.3.
In a separate advisory, SolarWinds also disclosed two high-rated bugs in its Orion Platform, also discovered by ZDI.
CVE-2023-50395 and CVE-2023-35188 are both SQL injection bugs affecting an update statement and a create statement, respectively.
SolarWinds said the two bugs can only be exploited by an authenticated user, and consequently have not been seen in the wild.
Access Rights Manager last needed patching against RCEs in October last year.
SolarWinds famously suffered a major attack in 2020, reaching high-profile customers such as Microsoft.