Vulnerabilities > CVE-2019-8917 - Unspecified vulnerability in Solarwinds Orion Network Performance Monitor

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

solarwinds

critical

NVD

Published: 2019-02-18

Updated: 2020-08-24

Summary

SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user.

Vulnerable Configurations

Part	Description	Count
Application	Solarwinds Solarwinds Orion Network Performance Monitor - Solarwinds Orion Network Performance Monitor 10.0 Solarwinds Orion Network Performance Monitor 10.1 Solarwinds Orion Network Performance Monitor 10.1.13.0 Solarwinds Orion Network Performance Monitor 10.2 Solarwinds Orion Network Performance Monitor 10.2.1 Solarwinds Orion Network Performance Monitor 10.2.2 Solarwinds Orion Network Performance Monitor 10.3 Solarwinds Orion Network Performance Monitor 10.3.1 Solarwinds Orion Network Performance Monitor 11.4 Solarwinds Orion Network Performance Monitor 12.0 Solarwinds Orion Network Performance Monitor 12.0.1 Solarwinds Orion Network Performance Monitor 12.1 Solarwinds Orion Network Performance Monitor 12.2 Solarwinds Orion Network Performance Monitor 12.3	15

Summary

Vulnerable Configurations

References