Login Sign Up

CVE-2018-19999

7.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows local users on a Windows system running SolarWinds Serv-U FTP Server to bypass authentication and execute arbitrary code with SYSTEM privileges. Attackers need local access and an active administrator management console session. This affects organizations using vulnerable versions of Serv-U FTP Server.

💻 Affected Systems

Products:
  • SolarWinds Serv-U FTP Server
Versions: 15.1.6.25 and potentially earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires local access to the host and an active Serv-U administrator management console session.

📦 What is this software?

Serv U Ftp Server by Solarwinds

View all CVEs affecting Serv U Ftp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, data theft, and lateral movement across the network.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM, enabling unauthorized access to sensitive files and system configuration.

🟢

If Mitigated

Limited impact due to restricted local access controls and no active administrator sessions.

🌐 Internet-Facing: LOW - Requires local system access, not remotely exploitable.
🏢 Internal Only: HIGH - Internal attackers with local access can achieve privilege escalation when conditions are met.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access and specific conditions, but the vulnerability is well-documented with proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.1.6.26 and later

Vendor Advisory: https://www.solarwinds.com/securityadvisory

Restart Required: Yes

Instructions:

1. Download the latest version from SolarWinds website. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the Serv-U service.

🔧 Temporary Workarounds

Restrict Local Access

windows

Limit local login access to Serv-U hosts to trusted administrators only.

Session Management

windows

Ensure administrator management console sessions are closed when not in active use.

🧯 If You Can't Patch

  • Implement strict local access controls and monitor for unauthorized local logins.
  • Use application whitelisting to prevent execution of unauthorized binaries.

🔍 How to Verify

Check if Vulnerable:

Check Serv-U version in the management console or via 'Serv-U.exe --version' command.

Check Version:

Serv-U.exe --version

Verify Fix Applied:

Verify version is 15.1.6.26 or higher and test authentication controls.

📡 Detection & Monitoring

Log Indicators:

  • Unusual local authentication attempts
  • Unexpected process execution with SYSTEM privileges

Network Indicators:

  • Local connections to Serv-U management interface from unauthorized accounts

SIEM Query:

EventID=4688 AND ProcessName='Serv-U.exe' AND IntegrityLevel='System' AND ParentProcess NOT LIKE '%Serv-U%'

📊 Metadata

CVE ID: CVE-2018-19999
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: June 7, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-19999, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2019-1867 10.0

This vulnerability allows unauthenticated remote attackers to bypass authentication on Cisco Elastic...

Same vulnerability type (CWE-287)