This advisory is for organizations that use SolarWinds Access Rights Manager (ARM) to manage and audit user rights access. If your organization does not use this platform, this notification may be discarded.
SolarWinds has released patch 2023.2.1 to address several vulnerabilities in their Access Rights Manager product. Out of all the fixes released, three of these are rated as critical and could allow a remote, unauthenticated attacker to execute code in the context of SYSTEM.
CVE-2023-35182 – ARM Deserialization of Untrusted Data Remote Code Execution
CVE-2023-35185 – ARM Directory Traversal Remote Code Execution
CVE-2023-35187 – ARM Directory Traversal Remote Code Execution