VYPR

Vendor CVEs

SolarWinds

All CVEs

266 total · sorted by risk
  • CVE-2010-2310Jun 16, 2010
    risk 0.04cvss epss 0.11

    SolarWinds TFTP Server 10.4.0.13 allows remote attackers to cause a denial of service (crash) via a long write request.

  • CVE-2009-3115Sep 9, 2009
    risk 0.04cvss epss 0.11

    SolarWinds TFTP Server 9.2.0.111 and earlier allows remote attackers to cause a denial of service (service stop) via a crafted Option Acknowledgement (OACK) request. NOTE: some of these details are obtained from third party information.

  • CVE-2009-1031Mar 20, 2009
    risk 0.04cvss epss 0.11

    Directory traversal vulnerability in the FTP server in Rhino Software Serv-U File Server 7.0.0.1 through 7.4.0.1 allows remote attackers to create arbitrary directories via a \.. (backslash dot dot) in an MKD request.

  • CVE-2009-0967Mar 19, 2009
    risk 0.04cvss epss 0.07

    The FTP server in Serv-U 7.0.0.1 through 7.4.0.1 allows remote authenticated users to cause a denial of service (service hang) via a large number of SMNT commands without an argument.

  • CVE-2008-4501Oct 9, 2008
    risk 0.04cvss epss 0.11

    Directory traversal vulnerability in the FTP server in Serv-U 7.0.0.1 through 7.3, including 7.2.0.1, allows remote authenticated users to overwrite or create arbitrary files via a ..\ (dot dot backslash) in the RNTO command.

  • CVE-2008-4500Oct 9, 2008
    risk 0.04cvss epss 0.10

    Serv-U 7.0.0.1 through 7.3, including 7.2.0.1, allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted stou command, probably related to MS-DOS device names, as demonstrated using "con:1".

  • CVE-2004-2532Dec 31, 2004
    risk 0.04cvss epss 0.16

    Serv-U FTP server before 5.1.0.0 has a default account and password for local administration, which allows local users to execute arbitrary commands by connecting to the server using the default administrator account, creating a new user, logging in as that new user, and then…

  • CVE-2004-1675Sep 11, 2004
    risk 0.04cvss epss 0.12

    Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denial of service (application crash) via a STORE UNIQUE (STOU) command with an MS-DOS device name argument such as (1) COM1, (2) LPT1, (3) PRN, or (4) AUX.

  • CVE-2004-1992Apr 20, 2004
    risk 0.04cvss epss 0.11

    Buffer overflow in Serv-U FTP server before 5.0.0.6 allows remote attackers to cause a denial of service (crash) via a long -l parameter, which triggers an out-of-bounds read.

  • CVE-2002-1542Mar 31, 2003
    risk 0.04cvss epss 0.13

    SolarWinds TFTP server 5.0.55 and earlier allows remote attackers to cause a denial of service (crash) via a large UDP datagram, possibly triggering a buffer overflow.

  • CVE-2002-1209Nov 4, 2002
    risk 0.04cvss epss 0.13

    Directory traversal vulnerability in SolarWinds TFTP Server 5.0.55, and possibly earlier, allows remote attackers to read arbitrary files via "..\" (dot-dot backslash) sequences in a GET request.

  • CVE-2001-0054Feb 16, 2001
    risk 0.04cvss epss 0.12

    Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack.

  • CVE-2021-35244Dec 20, 2021
    risk 0.03cvss epss 0.06

    The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote…

  • CVE-2020-12608May 7, 2020
    risk 0.03cvss epss 0.22

    An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\. This can lead to code execution by…

  • CVE-2019-3980Oct 8, 2019
    risk 0.03cvss epss 0.05

    The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an…

  • CVE-2019-8917Feb 18, 2019
    risk 0.03cvss epss 0.36

    SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The…

  • CVE-2012-2602Aug 12, 2012
    risk 0.03cvss epss 0.06

    Multiple cross-site request forgery (CSRF) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) before 10.3.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create user accounts via CreateUserStepContainer actions to…

  • CVE-2022-36923Aug 10, 2022
    risk 0.02cvss epss 0.08

    Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and…

  • CVE-2021-41081Nov 11, 2021
    risk 0.02cvss epss 0.69

    Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search.

  • CVE-2020-15541Jul 5, 2020
    risk 0.02cvss epss 0.07

    SolarWinds Serv-U FTP server before 15.2.1 allows remote command execution.

  • CVE-2018-18980Nov 6, 2018
    risk 0.02cvss epss 0.25

    An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local…

  • CVE-2024-45711Oct 16, 2024
    risk 0.01cvss epss 0.06

    SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are…

  • CVE-2022-47507Feb 15, 2023
    risk 0.01cvss epss 0.07

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2022-38111Feb 15, 2023
    risk 0.01cvss epss 0.85

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2022-47503Feb 15, 2023
    risk 0.01cvss epss 0.24

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2022-47504Feb 15, 2023
    risk 0.01cvss epss 0.25

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2022-36958Oct 20, 2022
    risk 0.01cvss epss 0.83

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2022-36961Sep 30, 2022
    risk 0.01cvss epss 0.75

    A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.

  • CVE-2021-41080Nov 11, 2021
    risk 0.01cvss epss 0.04

    Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search.

  • CVE-2021-35218Sep 1, 2021
    risk 0.01cvss epss 0.76

    Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server

  • CVE-2021-35223Aug 31, 2021
    risk 0.01cvss epss 0.03

    The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote code execution.

  • CVE-2021-31475May 21, 2021
    risk 0.01cvss epss 0.06

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2. Authentication is required to exploit this vulnerability. The specific flaw exists within the JobRouterService WCF service. The issue…

  • CVE-2021-27258Apr 14, 2021
    risk 0.01cvss epss 0.04

    This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SaveUserSetting endpoint. The issue results…

  • CVE-2020-27870Feb 10, 2021
    risk 0.01cvss epss 0.04

    This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1. Authentication is required to exploit this vulnerability. The specific flaw exists within ExportToPDF.aspx. The issue results from the…

  • CVE-2020-25617Dec 16, 2020
    risk 0.01cvss epss 0.03

    An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows Relative Path Traversal by an authenticated user of the N-Central Administration Console (NAC), leading to execution of OS commands as root.

  • CVE-2020-14005Jun 24, 2020
    risk 0.01cvss epss 0.14

    Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event.

  • CVE-2020-5734Apr 7, 2020
    risk 0.01cvss epss 0.25

    Classic buffer overflow in SolarWinds Dameware allows a remote, unauthenticated attacker to cause a denial of service by sending a large 'SigPubkeyLen' during ECDH key exchange.

  • CVE-2018-19386Aug 14, 2019
    risk 0.01cvss epss 0.09

    SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI.

  • CVE-2015-7839Oct 15, 2015
    risk 0.01cvss epss 0.07

    SolarWinds Log and Event Manager (LEM) allows remote attackers to execute arbitrary commands on managed computers via a request to services/messagebroker/nonsecurestreamingamf involving the traceroute functionality.

  • CVE-2015-1501Feb 16, 2015
    risk 0.01cvss epss 0.07

    The factory.loadExtensionFactory function in TSUnicodeGraphEditorControl in SolarWinds Server and Application Monitor (SAM) allow remote attackers to execute arbitrary code via a UNC path to a crafted binary.

  • CVE-2015-1500Feb 16, 2015
    risk 0.01cvss epss 0.08

    Multiple stack-based buffer overflows in the TSUnicodeGraphEditorControl in SolarWinds Server and Application Monitor (SAM) allow remote attackers to execute arbitrary code via unspecified vectors to (1) graphManager.load or (2) factory.load.

  • CVE-2014-3459Aug 7, 2014
    risk 0.01cvss epss 0.12

    Heap-based buffer overflow in SolarWinds Network Configuration Manager (NCM) before 7.3 allows remote attackers to execute arbitrary code via the PEstrarg1 property.

  • CVE-2026-28298Mar 26, 2026
    risk 0.00cvss epss 0.00

    SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

  • CVE-2026-28297Mar 26, 2026
    risk 0.00cvss epss 0.00

    SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

  • CVE-2025-40541Feb 24, 2026
    risk 0.00cvss epss 0.01

    An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is…

  • CVE-2025-40540Feb 24, 2026
    risk 0.00cvss epss 0.00

    A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium…

  • CVE-2025-40539Feb 24, 2026
    risk 0.00cvss epss 0.00

    A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium…

  • CVE-2025-40538Feb 24, 2026
    risk 0.00cvss epss 0.01

    A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative…

  • CVE-2025-40545Nov 18, 2025
    risk 0.00cvss epss 0.00

    SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required.

  • CVE-2025-26391Nov 18, 2025
    risk 0.00cvss epss 0.00

    SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account.

Page 2 of 6