VYPR

Vendor CVEs

SolarWinds

All CVEs

266 total · sorted by risk
  • CVE-2012-2576CriDec 20, 2017
    risk 0.71cvss 9.8epss 0.59

    SQL injection vulnerability in the LoginServlet page in SolarWinds Storage Manager before 5.1.2, SolarWinds Storage Profiler before 5.1.2, and SolarWinds Backup Profiler before 5.1.2 allows remote attackers to execute arbitrary SQL commands via the loginName field.

  • CVE-2016-2345CriMar 17, 2016
    risk 0.71cvss 9.8epss 0.51

    Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in SolarWinds DameWare Mini Remote Control 12.0 allows remote attackers to execute arbitrary code via a crafted string.

  • CVE-2017-7722CriApr 12, 2017
    risk 0.69cvss 10.0epss 0.13

    In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiting a vulnerability in the restrictssh feature of the menuing script, an attacker…

  • CVE-2016-4350CriMay 9, 2016
    risk 0.69cvss 9.8epss 0.70

    Multiple SQL injection vulnerabilities in the Web Services web server in SolarWinds Storage Resource Monitor (SRM) Profiler (formerly Storage Manager (STM)) before 6.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) ScriptSchedule parameter in the…

  • CVE-2016-3643HigKEVJun 17, 2016
    risk 0.66cvss 7.8epss 0.04

    SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat /etc/passwd."

  • CVE-2016-3642CriJun 17, 2016
    risk 0.65cvss 9.8epss 0.13

    The RMI service in SolarWinds Virtualization Manager 6.3.1 and earlier allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

  • CVE-2026-28318HigKEVJun 4, 2026
    risk 0.61cvss 7.5epss 0.11

    SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the…

  • CVE-2017-6803HigMar 20, 2017
    risk 0.61cvss 8.8epss 0.04

    Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for requests that (1) change the admin password, (2) terminate the…

  • CVE-2017-7647HigApr 10, 2017
    risk 0.57cvss 8.8epss 0.03

    SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows an authenticated user to execute arbitrary commands.

  • CVE-2017-5199HigMar 24, 2017
    risk 0.57cvss 8.8epss 0.03

    The editbanner feature in SolarWinds LEM (aka SIEM) through 6.3.1 allows remote authenticated users to execute arbitrary code by editing /usr/local/contego/scripts/mgrconfig.pl.

  • CVE-2017-5198HigMar 24, 2017
    risk 0.57cvss 8.8epss 0.01

    SolarWinds LEM (aka SIEM) before 6.3.1 has an incorrect sudo configuration, which allows local users to obtain root access by editing /usr/local/contego/scripts/hostname.sh.

  • CVE-2018-12897HigSep 7, 2018
    risk 0.54cvss 7.8epss 0.02

    SolarWinds DameWare Mini Remote Control before 12.1 has a Buffer Overflow.

  • CVE-2026-28299HigJun 2, 2026
    risk 0.53cvss 8.2epss 0.00

    SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could cause the Web Help Desk server to crash due to insufficient memory.

  • CVE-2025-26396HigJun 2, 2025
    risk 0.51cvss 7.8epss 0.00

    The SolarWinds Dameware Mini Remote Control was determined to be affected by Incorrect Permissions Local Privilege Escalation Vulnerability. This vulnerability requires local access and a valid low privilege account to be susceptible to this vulnerability.

  • CVE-2018-10240HigMay 16, 2018
    risk 0.48cvss 7.3epss 0.01

    SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the…

  • CVE-2018-10241MedMay 16, 2018
    risk 0.42cvss 6.5epss 0.02

    A denial of service vulnerability in SolarWinds Serv-U before 15.1.6 HFv1 allows an authenticated user to crash the application (with a NULL pointer dereference) via a specially crafted URL beginning with the /Web%20Client/ substring.

  • CVE-2017-7646MedApr 10, 2017
    risk 0.42cvss 6.5epss 0.01

    SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows an authenticated user to browse the server's filesystem and read the contents of arbitrary files contained within.

  • CVE-2018-25252MedApr 4, 2026
    risk 0.40cvss 6.2epss 0.00

    FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by injecting oversized buffer data into the site profile IP field. Attackers can create a malicious site profile containing 500 bytes of repeated characters and…

  • CVE-2017-9538MedOct 3, 2017
    risk 0.32cvss 4.9epss 0.02

    The 'Upload logo from external path' function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to cause a denial of service (permanent display of a "Cannot exit above the top directory" error message throughout the entire web application)…

  • CVE-2026-28301MedJun 9, 2026
    risk 0.31cvss 4.8epss 0.00

    A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website.

  • CVE-2017-9537MedOct 3, 2017
    risk 0.31cvss 4.8epss 0.03

    Persistent cross-site scripting (XSS) in the Add Node function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to introduce arbitrary JavaScript into various vulnerable parameters.

  • CVE-2016-5709MedJun 24, 2016
    risk 0.31cvss 4.7epss 0.01

    SolarWinds Virtualization Manager 6.3.1 and earlier uses weak encryption to store passwords in /etc/shadow, which allows local users with superuser privileges to obtain user passwords via a brute force attack.

  • CVE-2025-41437MedJun 9, 2025
    risk 0.28cvss 4.3epss 0.00

    Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.

  • CVE-2020-10148KEVDec 29, 2020
    risk 0.20cvss epss 0.92

    The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds…

  • CVE-2021-35247KEVJan 7, 2022
    risk 0.12cvss epss 0.03

    Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers…

  • CVE-2022-38108Oct 20, 2022
    risk 0.10cvss epss 0.70

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2015-5371Jul 6, 2015
    risk 0.10cvss epss 0.93

    The AuthenticationFilter class in SolarWinds Storage Manager allows remote attackers to upload and execute arbitrary scripts via unspecified vectors.

  • CVE-2009-4006Nov 20, 2009
    risk 0.10cvss epss 0.83

    Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote attackers to execute arbitrary code via a long hexadecimal string.

  • CVE-2004-2111Dec 31, 2004
    risk 0.10cvss epss 0.87

    Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.

  • CVE-2004-0330Nov 23, 2004
    risk 0.10cvss epss 0.85

    Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command.

  • CVE-2015-2284Mar 24, 2015
    risk 0.09cvss epss 0.74

    userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before 6.6.5 HotFix1 allows remote attackers to gain privileges and execute arbitrary code via unspecified vectors, related to client session handling.

  • CVE-2021-35215Sep 1, 2021
    risk 0.07cvss epss 0.69

    Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.

  • CVE-2020-27871Feb 10, 2021
    risk 0.07cvss epss 0.90

    This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw…

  • CVE-2019-12181Jun 17, 2019
    risk 0.07cvss epss 0.66

    A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.

  • CVE-2010-2115May 28, 2010
    risk 0.07cvss epss 0.56

    SolarWinds TFTP Server 10.4.0.10 allows remote attackers to cause a denial of service (no new connections) via a crafted read request.

  • CVE-2024-0692Mar 1, 2024
    risk 0.06cvss epss 0.92

    The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.

  • CVE-2021-35250Apr 25, 2022
    risk 0.06cvss epss 0.14

    A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

  • CVE-2021-43319Nov 30, 2021
    risk 0.06cvss epss 0.21

    Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.

  • CVE-2021-35216Sep 1, 2021
    risk 0.06cvss epss 0.81

    Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. An Authenticated Attacker with network access via HTTP can compromise this vulnerability can result in Remote Code Execution.

  • CVE-2023-23836Feb 15, 2023
    risk 0.05cvss epss 0.80

    SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to the SolarWinds Web Console to execute arbitrary commands.

  • CVE-2021-35217Sep 8, 2021
    risk 0.05cvss epss 0.74

    Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted…

  • CVE-2020-27869Feb 11, 2021
    risk 0.05cvss epss 0.05

    This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor 2020 HF1, NPM: 2020.2. Authentication is required to exploit this vulnerability. The specific flaw exists within the WriteToFile method. The…

  • CVE-2019-9017May 2, 2019
    risk 0.05cvss epss 0.21

    DWRCC in SolarWinds DameWare Mini Remote Control 10.0 x64 has a Buffer Overflow associated with the size field for the machine name.

  • CVE-2024-28999Jun 4, 2024
    risk 0.04cvss epss 0.14

    The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.

  • CVE-2022-37024Aug 9, 2022
    risk 0.04cvss epss 0.78

    Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code…

  • CVE-2021-31474May 21, 2021
    risk 0.04cvss epss 0.94

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library.…

  • CVE-2021-25274Feb 3, 2021
    risk 0.04cvss epss 0.36

    The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process.…

  • CVE-2012-4939Oct 31, 2012
    risk 0.04cvss epss 0.07

    Cross-site scripting (XSS) vulnerability in IPAMSummaryView.aspx in the IPAM web interface before 3.0-HotFix1 in SolarWinds Orion Network Performance Monitor might allow remote attackers to inject arbitrary web script or HTML via the "Search for an IP address" field.

  • CVE-2012-2577Aug 12, 2012
    risk 0.04cvss epss 0.10

    Multiple cross-site scripting (XSS) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) before 10.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName field of an snmpd.conf file.

  • CVE-2011-4800Dec 14, 2011
    risk 0.04cvss epss 0.08

    Directory traversal vulnerability in Serv-U FTP Server before 11.1.0.5 allows remote authenticated users to read and write arbitrary files, and list and create arbitrary directories, via a "..:/" (dot dot colon forward slash) in the (1) list, (2) put, or (3) get commands.

Page 1 of 6