CVE-2021-35211
📋 TL;DR
This is a critical remote code execution vulnerability in SolarWinds Serv-U products that allows attackers to execute arbitrary code with SYSTEM privileges on affected servers. It affects SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows versions before 15.2.3 HF2. The vulnerability was actively exploited as a zero-day before patches were available.
💻 Affected Systems
- SolarWinds Serv-U Managed File Transfer
- SolarWinds Serv-U Secure FTP
📦 What is this software?
Serv U by Solarwinds
Serv U by Solarwinds
Serv U by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the affected server with SYSTEM privileges, enabling lateral movement, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Full system compromise of the Serv-U server, allowing attackers to steal credentials, access sensitive files, and use the server as a foothold for further network attacks.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though the server would still be compromised.
🎯 Exploit Status
This was exploited as a zero-day by threat actors before patches were available. Microsoft reported active exploitation in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.2.3 HF2 and later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
Restart Required: Yes
Instructions:
1. Download Serv-U 15.2.3 HF2 or later from SolarWinds Customer Portal. 2. Stop the Serv-U service. 3. Run the installer. 4. Restart the Serv-U service. 5. Verify the version is 15.2.3 HF2 or newer.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Serv-U servers to only trusted IP addresses and required users.
Use firewall rules to block all inbound traffic except from authorized sources
Service Account Hardening
windowsConfigure Serv-U to run with a non-SYSTEM service account with minimal privileges.
sc config "Serv-U" obj= "NT AUTHORITY\LocalService" password= ""
🧯 If You Can't Patch
- Immediately isolate affected servers from the internet and restrict internal network access
- Implement strict monitoring and alerting for suspicious activity on Serv-U servers
🔍 How to Verify
Check if Vulnerable:
Check Serv-U version in the application interface or via the Windows Services console. If version is below 15.2.3 HF2, the system is vulnerable.Check Version:
sc query "Serv-U" | findstr "DISPLAY_NAME"Verify Fix Applied:
Verify the Serv-U version shows 15.2.3 HF2 or later in the application interface or Windows Services properties.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Serv-U service
- Failed authentication attempts followed by successful exploitation
- Unusual network connections from Serv-U server
Network Indicators:
- Unexpected outbound connections from Serv-U server
- Traffic to known malicious IPs from Serv-U server
- Anomalous protocol usage on Serv-U ports
SIEM Query:
source="Serv-U" AND (event_id=4688 OR process_creation) AND (parent_process="Serv-U.exe" OR image="cmd.exe" OR image="powershell.exe")🔗 References
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35211
