Local Privilege Escalation Vulnerability in SolarWinds Patch Manager
CVE-2021-27240

7.8HIGH

Key Information:

Vendor: Solarwinds
Status: Patch Manager
Vendor: CVE Published:; 29 March 2021

Summary

The identified vulnerability exists in SolarWinds Patch Manager 2020.2.1, allowing local attackers to escalate privileges by exploiting a flaw in the DataGridService WCF service. The vulnerability arises from insufficient validation of user-supplied data, which can lead to deserialization of untrusted data. An attacker who has already executed low-privileged code on the target system could use this weakness to gain Administrator-level privileges and execute arbitrary code.

Affected Version(s)

Patch Manager 2020.2.1

References

https://www.zerodayinitiative.com/advisories/ZDI-21-207/

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 29, 2021
Vulnerability Reserved
Feb 16, 2021

Credit

Harrison Neal