CVE-2023-40060
📋 TL;DR
This vulnerability allows administrators with existing access to bypass multi-factor authentication in Serv-U FTP server software. Attackers who already have administrator credentials can disable MFA protections, potentially gaining persistent access even if legitimate users change passwords. Only Serv-U 15.4 and 15.4 Hotfix 1 installations are affected.
💻 Affected Systems
- SolarWinds Serv-U
📦 What is this software?
Serv U by Solarwinds
Serv U by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compromised administrator credentials could bypass MFA, maintain persistent access to the Serv-U management console, and potentially compromise the entire FTP server infrastructure and hosted data.
Likely Case
An insider threat or attacker with stolen admin credentials could disable MFA protections, allowing continued access even after password changes, leading to data exfiltration or unauthorized file transfers.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the Serv-U instance itself, though MFA bypass still represents a significant authentication control failure.
🎯 Exploit Status
Exploitation requires administrator credentials. The vulnerability involves bypassing MFA controls rather than gaining initial access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.4 Hotfix 2
Vendor Advisory: https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-0-Hotfix-2?language=en_US
Restart Required: Yes
Instructions:
1. Download Serv-U 15.4 Hotfix 2 from SolarWinds Customer Portal. 2. Backup current Serv-U configuration. 3. Run the installer with administrative privileges. 4. Restart Serv-U services. 5. Verify MFA functionality is working correctly.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator accounts to only necessary personnel and implement strict access controls
Enhanced Monitoring
allMonitor for MFA configuration changes and administrator authentication events
🧯 If You Can't Patch
- Implement network segmentation to isolate Serv-U from critical systems
- Enable detailed logging of all administrator actions and MFA configuration changes
🔍 How to Verify
Check if Vulnerable:
Check Serv-U version in management console: Help > About. If version is 15.4 or 15.4 Hotfix 1, system is vulnerable.Check Version:
In Serv-U management console: Help > AboutVerify Fix Applied:
After applying Hotfix 2, verify version shows 15.4 Hotfix 2 and test MFA functionality by attempting to bypass with administrator credentials.📡 Detection & Monitoring
Log Indicators:
- Unexpected MFA configuration changes
- Administrator authentication without MFA prompts
- Multiple failed MFA attempts followed by successful login
Network Indicators:
- Unusual FTP/SFTP traffic patterns from administrator accounts
- Connections to Serv-U management interface from unexpected IPs
SIEM Query:
source="serv-u" AND (event_type="mfa_config_change" OR (user_role="administrator" AND auth_method!="mfa"))🔗 References
- https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-0-Hotfix-2?language=en_US
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40060
- https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-0-Hotfix-2?language=en_US
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40060
