CVE-2020-15543
📋 TL;DR
CVE-2020-15543 is a path validation vulnerability in SolarWinds Serv-U FTP server that allows attackers to bypass security controls and potentially execute arbitrary code or access restricted files. This affects all SolarWinds Serv-U FTP server installations before version 15.2.1. The vulnerability is particularly dangerous because it can be exploited without authentication.
💻 Affected Systems
- SolarWinds Serv-U FTP Server
📦 What is this software?
Serv U Ftp Server by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Unauthorized file access, directory traversal, and potential privilege escalation leading to data exfiltration.
If Mitigated
Limited impact with proper network segmentation, but still potential for unauthorized file access.
🎯 Exploit Status
Exploitation is straightforward and has been observed in the wild. Attackers can craft malicious path arguments to bypass security checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.2.1 and later
Vendor Advisory: https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-2-1_release_notes.htm
Restart Required: Yes
Instructions:
1. Download SolarWinds Serv-U version 15.2.1 or later from the SolarWinds customer portal. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the Serv-U service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict FTP server access to trusted IP addresses only using firewall rules.
# Windows: netsh advfirewall firewall add rule name="Restrict FTP" dir=in action=allow protocol=TCP localport=21 remoteip=192.168.1.0/24
# Linux: iptables -A INPUT -p tcp --dport 21 -s 192.168.1.0/24 -j ACCEPT && iptables -A INPUT -p tcp --dport 21 -j DROP
Disable Anonymous Access
allRequire authentication for all FTP connections to reduce attack surface.
# In Serv-U Admin Console: Domains > [Domain] > Settings > Security > Uncheck 'Allow Anonymous'
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the FTP server from critical systems
- Deploy a web application firewall (WAF) or intrusion prevention system (IPS) with rules to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check the Serv-U version in the admin console or via the command line: Serv-U-Tray.exe --versionCheck Version:
Serv-U-Tray.exe --versionVerify Fix Applied:
Verify version is 15.2.1 or higher and test path validation with controlled test cases.📡 Detection & Monitoring
Log Indicators:
- Unusual path patterns in FTP logs
- Multiple failed authentication attempts followed by successful unusual file access
- Access to directories outside normal user scope
Network Indicators:
- FTP connections with malformed path arguments
- Unusual file transfer patterns
- Connections from unexpected IP addresses
SIEM Query:
source="ftp_logs" AND (path="../" OR path="..\\" OR path="%2e%2e%2f")