CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2020-10148

CVSS 9.8v3.1pub. 2020-12-29upd. 2025-10-24

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Solarwinds Orion Platform

    APP
    Solarwinds
    2019.42020.22020.2.1

CISA KEV — detailsi

Vendori
SolarWinds
Producti
Orion
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 maja 2022
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2021-27258CRITICAL9.8ten sam produkt

This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWi...

CVE-2021-25274CRITICAL9.8ten sam produkt

The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doe...

CVE-2020-13169CRITICAL9.0ten sam produkt

Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple f...

CVE-2019-9546CRITICAL9.8ten sam produkt

SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ service.

CVE-2022-36963HIGH7.2ten sam produkt

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a re...