Critical SolarWinds ARM flaw fixed

SolarWinds has issued a new version of its Access Rights Manager software, which addresses a pair of security flaws, including a critical deserialization of untrusted data issue, tracked as CVE-2024-28991, which could be exploited to facilitate remote code execution, The Hacker News reports.

Inadequate validation of user-supplied data has caused the vulnerability, which was discovered by Trend Micro Zero Day Initiative researcher Piotr Bazyldo within ARM's JsonSerializationBinder. "Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed," said ZDI. Fixes have also been provided for a medium-severity flaw, tracked as CVE-2024-28990, which could be leveraged to compromise the RabbitMQ management console. While both vulnerabilities were noted by SolarWinds to not have been actively used by any threat operation, immediate application of ARM version 2024.3.1 has been urged. SolarWinds' patches come after D-Link released fixes for three critical bugs impacting its DIR-X Wi-Fi 6 router models and the COVR-X1870 dual band mesh Wi-Fi 6 router.