What is CVE-2021-35218?

CVE-2021-35218 is a high-severity vulnerability in Solarwinds Patch Manager, classified under Deserialization of Untrusted Data. CVSS score: 8.9/10. Published 2021-09-01.

How severe is CVE-2021-35218?

High severity. CVSS v3 base score is 8.9 out of 10.

Is CVE-2021-35218 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Solarwinds Patch Manager

CVE-2021-35218

Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the…

Vulnerability class: Insecure Deserialization

EPSS: 0.149 (94.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.9 (High). Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L.

Affected products

Solarwinds Patch Manager — versions 2020.5 and previous versions

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

documentation.solarwinds.com/en/success_center/patchman/content/release_notes/p… (x_refsource_MISC)
www.solarwinds.com/trust-center/security-advisories/cve-2021-35218 (x_refsource_MISC)
www.zerodayinitiative.com/advisories/ZDI-21-1248/ (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-35218?: CVE-2021-35218 is a high-severity vulnerability in Solarwinds Patch Manager, classified under Deserialization of Untrusted Data. CVSS score: 8.9/10. Published 2021-09-01.
How severe is CVE-2021-35218?: High severity. CVSS v3 base score is 8.9 out of 10.
Is CVE-2021-35218 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.