CVE-2024-52606

Low

Published: 11 February 2025

Published

11 February 2025

Modified

25 February 2025

KEV Added

—

Patch

—

CVSS Score 3.5 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS Score 0.0037 59.2th percentile

Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Description

SolarWinds Platform is affected by server-side request forgery vulnerability. Proper input sanitation was not applied allowing for the possibility of a malicious web request.

Security Summary

CVE-2024-52606 is a server-side request forgery (SSRF) vulnerability in the SolarWinds Platform, stemming from inadequate input sanitization that enables malicious web requests. Mapped to CWE-918, it carries a CVSS v3.1 base score of 3.5 (AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating low severity with adjacent network access required, low attack complexity, and low privileges needed.

Exploitation requires an authenticated user with low privileges on an adjacent network, who can then craft requests to forge server-side interactions. Successful attacks result in low integrity impact, potentially allowing manipulation of internal requests without compromising confidentiality or availability.

SolarWinds addresses the issue in the Platform 2025.1 release, as detailed in the release notes. Additional mitigation guidance and details are provided in the vendor's security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-52606. Practitioners should update to the patched version promptly.

Details

CWE(s): CWE-918

Affected Products

solarwinds

solarwinds platform

≤ 2025.1

References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2025-1_release_notes.htm
Release Notes · psirt@solarwinds.com
https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-52606
Vendor Advisory · psirt@solarwinds.com