CVE-2021-35211 Overview
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
This vulnerability has been actively exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating confirmed weaponization by threat actors targeting organizations using SolarWinds file transfer solutions.
Critical Impact
This vulnerability allows unauthenticated remote attackers to execute arbitrary code with elevated privileges on systems running vulnerable versions of SolarWinds Serv-U, potentially leading to complete system compromise.
Affected Products
- SolarWinds Serv-U Managed File Transfer (versions before 15.2.3 HF2)
- SolarWinds Serv-U Secure FTP for Windows (versions before 15.2.3 HF2)
- SolarWinds Serv-U 15.2.3 (including 15.2.3 Hotfix 1)
Discovery Timeline
- July 2021 - Vulnerability discovered by Microsoft Threat Intelligence Center (MSTIC)
- 2021-07-14 - CVE-2021-35211 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2021-35211
Vulnerability Analysis
CVE-2021-35211 is an Out-of-Bounds Write vulnerability (CWE-787) affecting the SolarWinds Serv-U SSH implementation. The vulnerability exists in the way Serv-U handles certain SSH connection requests, allowing an attacker to corrupt memory and achieve remote code execution.
Microsoft observed this vulnerability being exploited in the wild by threat actors who were able to leverage the flaw to run arbitrary code with elevated privileges. The attack does not require authentication, making it particularly dangerous for internet-exposed Serv-U instances.
The Remote Memory Escape Vulnerability allows attackers to manipulate memory operations in a way that bypasses normal security boundaries. When successfully exploited, the attacker gains the same privileges as the Serv-U service account, which typically runs with elevated system permissions.
Root Cause
The root cause of this vulnerability lies in improper bounds checking within the SSH protocol handling code of SolarWinds Serv-U. The software fails to properly validate input data during SSH connection establishment, allowing an attacker to write data outside the intended memory boundaries. This Out-of-Bounds Write condition (CWE-787) can be leveraged to corrupt critical program data structures or inject malicious code into executable memory regions.
Attack Vector
The attack is network-based and can be executed remotely without requiring user interaction or authentication. An attacker can exploit this vulnerability by:
- Establishing a connection to the Serv-U SSH service (typically port 22)
- Sending specially crafted SSH pre-authentication messages
- Triggering the memory corruption condition through malformed input
- Achieving code execution within the context of the Serv-U service
The vulnerability was observed being exploited as a zero-day by sophisticated threat actors. According to Microsoft's research, the attackers targeted organizations with internet-facing Serv-U instances, making network exposure a critical factor in exploitation risk.
For detailed technical analysis, refer to the Microsoft Threat Intelligence Blog and the SolarWinds Security Advisory.
Detection Methods for CVE-2021-35211
Indicators of Compromise
- Unusual child processes spawned by Serv-U.exe such as cmd.exe, powershell.exe, or other unexpected binaries
- Anomalous SSH connection patterns including malformed pre-authentication requests
- Presence of unexpected files in Serv-U installation directories or temp folders
- Suspicious network connections originating from the Serv-U process to external IP addresses
- Evidence of credential harvesting or lateral movement following Serv-U service activity
Detection Strategies
- Monitor Serv-U debug logs (enable DebugSocketlog as recommended by SolarWinds) for exception patterns indicating exploitation attempts
- Deploy endpoint detection and response (EDR) solutions to identify abnormal process behavior associated with Serv-U.exe
- Implement network intrusion detection rules to identify malicious SSH traffic patterns targeting vulnerable Serv-U instances
- Review Windows Event Logs for process creation events showing suspicious parent-child relationships involving Serv-U
Monitoring Recommendations
- Enable comprehensive logging on all Serv-U installations and forward logs to a centralized SIEM platform
- Configure alerts for any child processes spawned by Serv-U.exe that are not part of normal operations
- Monitor network traffic for SSH connections exhibiting unusual characteristics or high volumes of failed authentication attempts
- Establish baseline behavior for Serv-U services and alert on deviations
How to Mitigate CVE-2021-35211
Immediate Actions Required
- Upgrade all SolarWinds Serv-U installations to version 15.2.3 HF2 or later immediately
- If SSH functionality is not required, disable SSH access in Serv-U configuration as a temporary measure
- Restrict network access to Serv-U services using firewall rules to limit exposure to trusted IP addresses only
- Conduct forensic analysis on potentially affected systems to identify signs of compromise
- Review the CISA Known Exploited Vulnerabilities Catalog for compliance requirements
Patch Information
SolarWinds has released Serv-U version 15.2.3 Hotfix 2 (15.2.3 HF2) to address this vulnerability. Organizations should immediately apply this update to all affected installations. The patch can be obtained from the SolarWinds Customer Portal.
For organizations unable to patch immediately, SolarWinds recommends disabling SSH access as a temporary mitigation until the hotfix can be applied.
Workarounds
- Disable SSH functionality in Serv-U if not business-critical by navigating to Serv-U Management Console and disabling SSH listeners
- Implement strict network segmentation to isolate Serv-U servers from critical infrastructure
- Deploy web application firewalls (WAF) or intrusion prevention systems (IPS) with signatures for CVE-2021-35211
- Enable enhanced monitoring and logging to detect potential exploitation attempts
# Verify Serv-U version and check for vulnerability
# Check the installed Serv-U version in Windows
wmic product where "name like 'Serv-U%%'" get name,version
# Review Serv-U logs for exploitation indicators
# Default log location: C:\ProgramData\RhinoSoft\Serv-U\
Get-Content "C:\ProgramData\RhinoSoft\Serv-U\Serv-U-DebugSocketLog*.txt" | Select-String -Pattern "Exception"
# Disable SSH listener via command line (requires restart)
# Alternatively, use Serv-U Management Console to disable SSH
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
