CVE-2021-25274

Name: CVE-2021-25274
Creator: NVD / NIST
Published: 2021-02-03T17:15:16.467+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 36.43%

Last modified Jun 17, 2026

CVE-2021-25274 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. EPSS estimates a 36.43% chance of exploitation in the next 30 days.

Description

The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

36.43%

98.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-502

Affected Software

Vendor	Product	Versions
Solarwinds	Orion Platform	< 2020.2.4

References

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/Exploit, Patch, Third Party Advisory
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/Exploit, Patch, Third Party Advisory

Timeline

Published: Feb 3, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-25274?

How severe is CVE-2021-25274?

CVE-2021-25274 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 36.43% probability of exploitation in the next 30 days.

How do I fix CVE-2021-25274?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-25274?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST