Microsoft has discovered a zero-day vulnerability in SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP. No other SolarWinds or N-able (previously SolarWinds MSP) products are affected. The zero-day is tracked as CVE-2021-35211 and is a Remote Code Execution (RCE) vulnerability.
The vulnerability is due to a boundary error, more clearly due to the improper restriction of operations within the bounds of a Memory Buffer.
The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions.
If this vulnerability is successfully exploited, threat actors can run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system.
The vulnerability is being actively exploited in the wild and a limited targeted group of users have been hit so far according to Microsoft.
Patches are not available yet to address this vulnerability but a hotfix (Serv-U 15.2.3 HF2) has been released by SolarWinds. All customers using Serv-U should install this fix immediately for the protection of their environment. Active maintenance SolarWinds customers of the Serv-U product, can login to their Customer Portal and access the fix. If you are on non-active maintenance and currently using the products, open a customer service ticket with the subject "Serv-U Assistance" and the SolarWinds team will assist you.
For more details, refer to SolarWinds' security advisory