CVE-2024-23477 Overview
CVE-2024-23477 is a directory traversal vulnerability in SolarWinds Access Rights Manager (ARM) that enables unauthenticated remote code execution. The flaw is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory. An attacker positioned on an adjacent network can exploit this weakness without authentication or user interaction to execute arbitrary code on the affected system. SolarWinds ARM is widely deployed to manage Active Directory permissions, file server access, and Microsoft Exchange rights, which makes affected hosts high-value targets within enterprise environments.
Critical Impact
Unauthenticated attackers on an adjacent network can execute arbitrary code on SolarWinds ARM servers, gaining a foothold in identity and access governance infrastructure.
Affected Products
- SolarWinds Access Rights Manager (ARM)
- SolarWinds ARM versions prior to the vendor-released patch referenced in advisory CVE-2024-23477
- Deployments managing Active Directory, file servers, and Exchange permissions
Discovery Timeline
- 2024-02-15 - CVE-2024-23477 published to the National Vulnerability Database
- 2024-11-21 - Last updated in the NVD database
Technical Details for CVE-2024-23477
Vulnerability Analysis
The vulnerability stems from improper sanitization of file path inputs within SolarWinds Access Rights Manager. An attacker supplies crafted path sequences that escape the intended directory context. The flaw chains directory traversal with code execution primitives, allowing the attacker to drop or invoke code outside the application's intended file boundaries. Because exploitation requires no authentication, any actor with reachability to the ARM service on an adjacent network segment can attempt the attack. Successful exploitation compromises the confidentiality, integrity, and availability of the host. The scope change indicated in the vulnerability data shows that exploitation impacts resources beyond the vulnerable component, which is consistent with code execution under a privileged service account.
Root Cause
The root cause is insufficient validation of user-controlled path inputs processed by ARM components. The application accepts pathname elements containing traversal sequences such as ..\ without normalizing or restricting the resolved path. This allows references to arbitrary file system locations. When combined with file handling routines that write or load executable content, the traversal becomes a pathway to remote code execution.
Attack Vector
The attack requires network adjacency, meaning the attacker must reach the ARM service through the same broadcast domain, VPN segment, or routed internal network. The attacker sends a malicious request containing crafted path traversal sequences to an exposed ARM endpoint. The service processes the request, resolves the manipulated path, and executes attacker-supplied code in the context of the ARM service account. No authentication, user interaction, or prior access is required.
No verified public proof-of-concept code is available. Refer to the SolarWinds Security Advisory CVE-2024-23477 for vendor technical details.
Detection Methods for CVE-2024-23477
Indicators of Compromise
- Unexpected child processes spawned by SolarWinds ARM service binaries, particularly cmd.exe, powershell.exe, or scripting interpreters
- Inbound network traffic to ARM listening ports from unusual internal hosts containing path traversal sequences such as ..\ or URL-encoded %2e%2e%5c
- New or modified files in ARM application directories that do not align with vendor update timestamps
- Outbound network connections from the ARM host to unfamiliar internal or external endpoints
Detection Strategies
- Inspect ARM application and IIS logs for malformed paths and traversal patterns targeting service endpoints
- Monitor Windows Event Logs for process creation events where the parent is an ARM service binary
- Deploy network signatures that flag directory traversal payloads directed at ARM TCP ports
- Correlate file integrity changes within ARM installation directories against known-good baselines
Monitoring Recommendations
- Enable detailed audit logging on the ARM server, including process creation and file system access auditing
- Forward ARM, Windows Security, and Sysmon telemetry to a centralized SIEM for correlation
- Alert on any non-administrative authentication or service restart events on the ARM host
- Baseline normal ARM behavior and trigger on deviations such as new outbound connections or unsigned binaries
How to Mitigate CVE-2024-23477
Immediate Actions Required
- Apply the SolarWinds patch referenced in the SolarWinds Security Advisory CVE-2024-23477 without delay
- Restrict network access to ARM management ports using host firewalls and network segmentation
- Audit ARM service account privileges and reduce them to the minimum required
- Review ARM and supporting Windows logs for indicators dating back to the vulnerability publication
Patch Information
SolarWinds released a fixed version of Access Rights Manager addressing CVE-2024-23477. Administrators should consult the SolarWinds Security Advisory CVE-2024-23477 for the specific fixed build and upgrade instructions. Apply the update to all ARM servers, including secondary or test instances, before resuming normal operations.
Workarounds
- Limit ARM network exposure to a dedicated management VLAN reachable only by authorized administrators
- Enforce host-based firewall rules that allow ARM service traffic only from known administrative workstations
- Disable or isolate ARM instances that cannot be patched immediately until the vendor update is applied
- Monitor adjacent network segments for reconnaissance activity targeting ARM service ports
# Example Windows firewall restriction limiting ARM access to a management subnet
New-NetFirewallRule -DisplayName "Restrict SolarWinds ARM" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 8081,8082 `
-RemoteAddress 10.10.50.0/24 `
-Action Allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
