CVE-2019-8917

Name of the Vulnerable Software and Affected Versions SolarWinds Orion NPM versions prior to 12.4

Description The issue concerns a remote code execution vulnerability in the OrionModuleEngine service, which establishes a NetTcpBinding endpoint allowing remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method can be abused by an attacker to execute commands as the SYSTEM user. There have been reports of real-world incidents where this issue was exploited, with hackers compromising the network of a strategic IT solutions provider for American government organizations. It is estimated that multiple hacking groups may have exploited this vulnerability, with one group using an exploit similar to a previously known vulnerability to infect SolarWinds Orion installations that were open to the network.

Recommendations For SolarWinds Orion NPM versions prior to 12.4, update to version 12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the OrionModuleEngine service to minimize the risk of exploitation. Avoid using the InvokeActionMethod method in the affected service until the issue is resolved.