In 2022, researchers uncovered a serious vulnerability in the SolarWinds Platform, tracked as CVE-2022-36960. This issue revolves around improper input validation that allows attackers with valid web console access to escalate their privileges. In this post, we'll walk you through what happened, how an attacker could exploit this flaw, and what you can do to stay safe. Everything is explained in plain English with easy-to-understand code snippets and direct reference links.
What is SolarWinds?
SolarWinds is a widely used IT management platform. Organizations around the world use it to monitor networks, servers, and applications. Because of its access to critical infrastructure data, any security hole in SolarWinds products can have far-reaching consequences.
Access Required: Valid user access to the SolarWinds Web Console
According to SolarWinds advisory, this vulnerability lets adversaries with legitimate (but low-privilege) accounts to escalate their privileges, possibly gaining admin-level control.
> “A vulnerability has been discovered in SolarWinds Platform whereby a user with access to the Web Console could potentially escalate their privileges by exploiting improper input validation mechanisms.”
— SolarWinds Security Advisory
How Does This Vulnerability Work?
Improper input validation happens when a system doesn’t properly check data sent from users. In the case of CVE-2022-36960, certain user-supplied parameters in the SolarWinds Web Console were not being filtered or sanitized correctly. An attacker could manipulate these parameters to perform actions as a more privileged user.
Attacker logs in with valid user credentials (could be from phishing or a weak local account).
2. The attacker navigates to a vulnerable function (e.g., updating profile or performing a web-based action like configuring alerts).
3. By supplying special data in a request—such as extra parameters or crafted JSON—they can bypass restrictions and trigger the application to run privileged actions.
Sample Exploit Request (Pseudocode)
Here is a conceptual example using a curl command that illustrates how a POST request could be abused (please remember, this is for educational purposes):
curl -k -X POST \
-H "Content-Type: application/json" \
-H "Cookie: .AspNetAuth=VALIDSESSIONCOOKIE" \
-d '{
"userId": 12345,
"role": "Admin", # Attacker injects 'Admin' here
"action": "updateUserRole"
}' \
https://solarwinds.example.com/api/user/manage
In this example, the server does not properly check that the currently logged-in user SHOULD NOT be able to update their own role to 'Admin'. The lack of validation lets this escalate privileges.
References
- SolarWinds Official Security Advisory for CVE-2022-36960
- NIST National Vulnerability Database: CVE-2022-36960
- Mitre CVE Record
Protection & Mitigation
SolarWinds has released patches.
If your organization is running a vulnerable version, update immediately as outlined in their advisory.
General Prevention Tips
- Restrict web console access to trusted users/IP ranges.
Key Takeways
- CVE-2022-36960 lets bad actors escalate from user to admin by exploiting input validation failures in SolarWinds.
- Only authenticated users can exploit this, but it’s a serious risk if your web console is exposed to the internet or used by many staff.
Stay safe, and always validate input—don’t trust any user data, even from your own team!
If you have more questions about this issue or want to share your experience, leave a comment below. For the latest updates, keep an eye on SolarWinds security page.
Timeline
Published on: 11/29/2022 21:15:00 UTC
Last modified on: 08/03/2023 21:15:00 UTC