CVE-2020-14005

Name of the Vulnerable Software and Affected Versions Solarwinds Orion versions 2019.4.1 through 2019.4 with Web Console WPM and Orion Platform HF4 or NPM HF2

Description The issue allows remote attackers to execute arbitrary code via a defined event. This can be achieved through command injection, specifically via the ExecuteExternalProgram or ExecuteVBScript commands.

Recommendations For Solarwinds Orion versions 2019.4.1 through 2019.4 with Web Console WPM and Orion Platform HF4 or NPM HF2, consider disabling the ExecuteExternalProgram and ExecuteVBScript commands as a temporary workaround until a patch is available. Restrict access to defined events to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.