{ "id": "afd5ca21-7df2-43ca-89d8-256665f4bdd5", "created_at": "2026-04-06T00:18:16.152727Z", "updated_at": "2026-04-10T13:12:20.832862Z", "deleted_at": null, "sha1_hash": "ce012cc947bba573029c980394f40607a09af007", "title": "Qualys Security Advisory: SolarWinds / FireEye", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 595245, "plain_text": "Qualys Security Advisory: SolarWinds / FireEye\r\nBy Mehul Revankar\r\nPublished: 2020-12-22 · Archived: 2026-04-05 22:06:02 UTC\r\nQualys Researchers found Millions of devices exposed to vulnerabilities used in the stolen FireEye Red Team\r\ntools and SolarWinds Orion by analyzing the anonymized set of vulnerabilities across Qualys’ worldwide\r\ncustomer base\r\nQualys to offer a free 60-day integrated Vulnerability Management, Detection and Response service to help organizations\r\nquickly assess the devices impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, or FireEye Red Team tools,\r\nand to remediate them and track their remediation via dynamic dashboards. Register at https://www.qualys.com/solarhack/\r\nOn Dec 8, FireEye disclosed the theft of its Red Team assessment tools which leverage over 16 known CVE’s to\r\nexploit client environments to test and validate their security posture. FireEye also confirmed a trojanized version\r\nof SolarWinds Orion software was used to facilitate this theft.\r\nAccess to these sophisticated FireEye Red Team tools stolen by the attackers increases the risk of an attack on an\r\norganization’s critical infrastructure. Red teams often use a known set of vulnerabilities to exploit and quickly\r\ncompromise systems to simulate what a real attacker can do in the network. If these tools fall into the wrong\r\nhands, it will increase the chances of successfully exploiting the vulnerabilities.\r\nWhy is this security incident so important?\r\nTo underscore the seriousness of this breach, the Department of Homeland Security has issued an emergency\r\ndirective ordering all federal agencies to take immediate steps in mitigating the risk of SolarWinds Orion\r\napplications and other security vulnerabilities related to the stolen FireEye Red Team tools. They’ve also strongly\r\nrecommended that commercial organizations adhere to the same guidance.\r\n7+ million vulnerable instances open to potential attack across networks of global organizations\r\nanalyzed by Qualys researchers\r\nThe Qualys Cloud Platform is the most widely used platform for Vulnerability Management by global\r\norganizations. Qualys Vulnerability Research Teams continuously investigate vulnerabilities being exploited by\r\nattackers. Since the public release of this information by FireEye and SolarWinds, our researchers have analyzed\r\nthe state of these anonymized vulnerabilities across networks of organizations using Qualys Cloud Platform.\r\nWhile the number of vulnerable instances of SolarWinds Orion are in the hundreds, our analysis has identified\r\nover 7.54 million vulnerable instances related to FireEye Red Team tools across 5.29 million unique assets,\r\nhighlighting the scope of the potential attack surface if these tools are misused. Organizations need to move\r\nquickly to immediately protect themselves from being exploited by these vulnerabilities.\r\nThe good news is that patches have been available for these vulnerabilities for some time. Interestingly, further\r\nanalysis of those 7.54 million vulnerable instances indicated about 7.53 million or roughly 99.84% are from only\r\nhttps://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye\r\nPage 1 of 5\n\neight vulnerabilities in Microsoft’s software as listed below. Luckily Microsoft patches have been available for a\r\nwhile.\r\nList of 8 patchable security vulnerabilities to significantly reduce attack surface\r\nCVE ID\r\nRelease\r\nDate\r\nName CVSS\r\nQualys\r\nQID(s)\r\nCVE-2020-1472\r\n08/11/2020\r\nMicrosoft Windows Netlogon Elevation of Privilege\r\nVulnerability\r\n10 91668\r\nCVE-2019-0604\r\n02/12/2019\r\nMicrosoft Office and Microsoft Office Services and\r\nWeb Apps Security Update February 2019 Microsoft\r\nSharePoint\r\n9.8 110330\r\nCVE-2019-0708\r\n05/14/2019\r\nMicrosoft Windows Remote Desktop Services Remote\r\nCode Execution Vulnerability (Blue. Keep)\r\n9.8\r\n91541,\r\n91534\r\nCVE-2014-1812\r\n05/13/2014\r\nMicrosoft Windows Group Policy Preferences\r\nPassword Elevation of Privilege Vulnerability\r\n(KB2962486)\r\n9\r\n91148,\r\n90951\r\nCVE-2020-0688\r\n02/11/2020\r\nMicrosoft Exchange Server Security Update for\r\nFebruary 2020\r\n8.8 50098\r\nCVE-2016-0167\r\n04/12/2016\r\nMicrosoft Windows Graphics Component Security\r\nUpdate (MS16-039)\r\n7.8 91204\r\nCVE-2017-\r\n11774\r\n10/10/2017\r\nMicrosoft Office and Microsoft Office Services and\r\nWeb Apps Security Update October 2017\r\n7.8 110306\r\nCVE-2018-8581\r\n11/13/2018\r\nMicrosoft Exchange Server Elevation of Privilege\r\nVulnerability\r\n7.4 53018\r\n* See the full list of 16 exploitable vulnerabilities and their patch links.\r\nRecommended action to mitigate the risk immediately\r\nBased on sheer risk and scale of these vulnerabilities, it is imperative for organizations to quickly assess the state\r\nof these vulnerabilities and missing patches across all their assets impacted by SolarWinds Orion vulnerabilities,\r\nSUNBURST Trojan detections, or FireEye Red Team tools.\r\nImmediately deploy applicable patches for all above vulnerabilities across the affected assets.\r\nPower down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from the network, until\r\npatch – is applied.\r\nApply security hygiene controls for the impacted software and operating system to reduce the impact.\r\nhttps://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye\r\nPage 2 of 5\n\nSearch for existence of the following files:\r\n[SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of\r\n[b91ce2fa41029f6955bff20079468448]\r\n[C:\\WINDOWS\\SysWOW64\\netsetupsvc.dll]\r\nand other Indications of Compromise, and remove them along with killing the parent processes that touched them.\r\nQualys brings free 60-day integrated Vulnerability Management, Detection and Response service\r\nto detect and patch these vulnerabilities\r\nTo help global organizations, Qualys is offering a free service for 60 days, to rapidly address this risk. The service\r\nenables customers with –\r\nReal-time, up-to-date inventory and automated organization of all assets, applications, services running\r\nacross the hybrid-IT environment\r\nContinuous view of all critical vulnerabilities and their prioritization based on real-time threat indicators\r\nand attack surface\r\nAutomatic correlation of applicable patches for identified vulnerabilities\r\nPatch Deployment via Qualys Cloud Agents with zero impact to VPN bandwidth\r\nSecurity configuration hygiene assessment to apply as compensating controls to reduce vulnerability risk\r\nUnified dashboards that consolidate all insights for management visualization via a single pane of glass\r\nIn addition to Qualys VMDR and Patch Management, organizations can also leverage additional capabilities like\r\nEDR and FIM to detect additional indicators of compromise such as malicious files, hashes and remove them\r\nfrom their environment.\r\nVMDR prioritization screen with Solorigate SUNBURST RTI selected\r\nhttps://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye\r\nPage 3 of 5\n\nQualys Unified Dashboard showing FireEye Red Team tools \u0026 Solorigate/SUNBURST risk\r\nExisting Qualys customers can immediately leverage their accounts to mitigate their exposure for\r\nrecommended actions\r\nInventory the compromised versions of SolarWinds and VMware applications as well as other actively\r\nrunning services, and processes.\r\nDetect all applicable vulnerabilities related to Solorigate/SUNBURST, FireEye tools as well as VMware\r\napplications along with a prioritized list of appropriate patches to deploy.\r\nImmediately deploy prioritized patches for the above critical vulnerabilities. In case a patch cannot be\r\napplied immediately, it leverages the compensating controls to reduce the risk impact until patches can be\r\napplied.\r\nAdditionally, it can detect for the evidence of malicious files and IOCs related to SolarWinds applications\r\nand FireEye compromised toolsets and remove them.\r\nAdditional resources\r\nCISA Emergency Directive 21-01\r\nhttps://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye\r\nPage 4 of 5\n\nSolarWinds Security Advisory\r\nFireEye Red Team tools countermeasures\r\nQualys Research on FireEye Theft\r\nQualys Research on SolarWinds\r\nHow to quickly deploy Qualys cloud agents for Inventory, Vulnerability and Patch Management\r\nSource: https://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye\r\nhttps://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye\r\nPage 5 of 5\n\nquickly to immediately The good news protect is that patches themselves have been from being exploited available for these by these vulnerabilities. vulnerabilities for some time. Interestingly, further\nanalysis of those 7.54 million vulnerable instances indicated about 7.53 million or roughly 99.84% are from only\n Page 1 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye" ], "report_names": [ "qualys-security-advisory-solarwinds-fireeye" ], "threat_actors": [], "ts_created_at": 1775434696, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce012cc947bba573029c980394f40607a09af007.pdf", "text": "https://archive.orkl.eu/ce012cc947bba573029c980394f40607a09af007.txt", "img": "https://archive.orkl.eu/ce012cc947bba573029c980394f40607a09af007.jpg" } }