What is the CVSS score of CVE-2020-10148?

CVE-2020-10148 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.3%.

Is CVE-2020-10148 being actively exploited?

Yes, CVE-2020-10148 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2020-10148?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

CVE-2020-10148

CRITICAL

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

2020-12-29 cret@cert.org

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:19 vuln.today

Added to CISA KEV

Oct 24, 2025 - 14:36 cisa

CISA KEV

CVE Published

Dec 29, 2020 - 22:15 nvd

CRITICAL 9.8

DescriptionNVD

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

AnalysisAI

SolarWinds Orion API contains an authentication bypass that allows unauthenticated remote attackers to execute API commands, related to the massive SUNBURST supply chain attack discovered in December 2020.

Technical ContextAI

The CWE-288 authentication bypass allows attackers to invoke privileged Orion API commands without credentials. This vulnerability was part of the broader SUNBURST campaign where SolarWinds build systems were compromised to distribute backdoored Orion updates to 18,000+ organizations.

Affected ProductsAI

SolarWinds Orion Platform 2019.4 HF 5 SolarWinds Orion Platform 2020.2 with no hotfix SolarWinds Orion Platform 2020.2 HF 1

RemediationAI

Update SolarWinds Orion to patched versions. Assume compromise if running affected versions during the SUNBURST campaign window (March-December 2020). Conduct thorough incident response including credential rotation and Active Directory review.

CVE-2020-10148 vulnerability details – vuln.today

Back

CVE-2020-10148

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code