dabdine (6)

This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The “malware” was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): https://www.solarwinds.com/securityadvisory

As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).

This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965