SolarWinds “Advanced Monitoring Agent” before 10.8.9
Insufficient authorization/ rights extension
- 18.05.2020 Manufacturer informed
- 2020/05/20 Vendor confirms the vulnerability and informsHanseSecure that the vulnerability has been patched in version 10.8.9.
- 03.06.2020 Disclosure
The Advanced Monitoring Agent software up to version 10.8.9 was executed when each user (remote or local) logged in. The corresponding file can be modified by all users on the system. A malicious user could exchange the file with a modified version to execute arbitrary commands in the context of the logging user.