SolarWinds Serv-U RCE 0-Day Vulnerability (CVE-2021-35211)

Microsoft recently informed SolarWinds about a Remote Memory Escape vulnerability that can result in Remote Code Execution in the SolarWinds Serv-U Managed File Transfer Server and Serv-U Secured FTP products. Microsoft provided SolarWinds with a Proof of Concept for the vulnerability and reported that a “single threat actor” is known to be exploiting the vulnerability “in the wild.” This RCE exploit affects all versions of Serv-U, prior to version 15.2.3 HF2. SolarWinds released a hotfix Friday, July 9, 2021, and SolarWinds recommends all customers using Serv-U install this fix immediately for the protection of your environment.

Note: Only SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP are thought to be affected by this vulnerability. Other SolarWinds products, including N-Able (formerly SolarWinds MSP), are not known to be affected by this vulnerability.

Affected Software / System

This advisory specifically applies to the following SolarWinds products:

• Serv-U 15.2.3 HF1 and all prior Serv-U versions

CVE (if applicable)

• CVE-2021-35211

Type

Exploit Status: 

CVE-2021-35211 is now being exploited in the wild

Vulnerability Summary

Microsoft recently informed SolarWinds about a Remote Memory Escape vulnerability that can result in Remote Code Execution in the SolarWinds Serv-U Managed File Transfer Server and Serv-U Secured FTP products. Microsoft provided SolarWinds with a Proof of Concept for the vulnerability and reported that a “single threat actor” is known to be exploiting the vulnerability “in the wild.” This RCE exploit affects all versions of Serv-U, prior to version 15.2.3 HF2. SolarWinds released a hotfix Friday, July 9, 2021, and SolarWinds recommends all customers using Serv-U install this fix immediately for the protection of your environment.

Note: Only SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP are thought to be affected by this vulnerability. Other SolarWinds products, including N-Able (formerly SolarWinds MSP), are not known to be affected by this vulnerability.

Impact

Remote Code Execution: Exploitation of CVE-2021-35211 could provide threat actors with remote access (if they have already compromised valid user credentials) to vulnerable, web-exposed systems or can be used to escalate privileges and to facilitate lateral movement post-exploitation.

According to SolarWinds, “a threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system.”

Ingalls recommends the following actions:

Serv-U version 15.2.3 hotfix (HF) 2 has been released. We recommend you install these updates immediately.