1.0 Introduction
Recently, SolarWinds has identified critical security vulnerabilities, CVE-2024-28990 and CVE-2024-28991 which are affecting certain versions of their software products.
2.0 Impact
These vulnerabilities could allow an attacker to gain unauthorized access to the SolarWinds platform, potentially compromising sensitive data and system integrity. Exploitation of this vulnerability may result in unauthorized modification or deletion of data, exposure of confidential information, or denial of service (DoS) attacks.
3.0 Affected system/product/version
- SolarWinds ARM 2024.3 and prior versions
4.0 Related CVE Details
| Title | Severity | CVE |
| SolarWinds Access Rights Manager (ARM) Hardcoded Credentials Authentication Bypass Vulnerability | 6.3 Medium | CVE-2024-28990 |
| SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution | 9.0 High | CVE-2024-28991 |
5.0 Recommendations
CyberSecurity Malaysia advises all users and administrators to immediately review SolarWinds’ official advisories and update their systems as per the following recommendation.
Update Access Rights Manager to version 2024.3.1 to apply security enhancements and performance updates.
Kindly refer to the following URL:
Generally, we advise users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 Incident Response Centre through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:3the 0 MYT
Web: https://www.mycert.org.my
6.0 References
- https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28991
- https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3-1_release_notes.htm
- https://www.rewterz.com/threat-advisory/critical-arm-flaw-allowing-rce-attacks-patched-by-solarwinds
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28991
- https://www.rewterz.com/threat-advisory/critical-arm-flaw-allowing-rce-attacks-patched-by-solarwinds#:~:text=It%20has%20been%20characterized%20as,user%20to%20abuse%20the%20service