This content is part of the Essential Guide: SolarWinds breach news center

Essential Guide

Browse Sections

SolarWinds warns of zero-day vulnerability under attack

SolarWinds says targeted attacks from a single threat actor have been reported on a previously unknown vulnerability in the Serv-U file transfer platform.

SolarWinds is once again sounding the alarms over an in-the-wild attack on one of its IT management platforms.

This time, the flaw at fault is CVE-2021-35211, a remote code execution flaw in Serv-U Managed File Transfer Server and Serv-U Secured FTP, a pair of IT management utilities used to manage remote file servers. A successful exploit would potentially allow an attacker the ability to install and run malware.

"The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions," SolarWinds said in its security bulletin.

"A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system."

According to the SolarWinds bulletin, the vulnerability is currently under active attack. The vendor cautioned that so far the exploits are "a limited, targeted set of customers and a single threat actor." The vendor did not elaborate on who the victims were or the possible motives of the attackers.

Even if the attacks are currently just an isolated set of incidents on a small group of companies, administrators would be wise to get the Serv-U version 15.2.3 update tested and installed as soon as possible, as these sort of attacks tend to spread and get recycled once word of a working exploit becomes public knowledge.

The security team at Microsoft was credited with spotting the attack and reporting it to SolarWinds.

While small in scale and limited to a small subset of products, the attack could cause unease among SolarWinds' customer base given the events of recent months.

Earlier this year, the IT management specialist fell victim to one of the worst supply chain attacks in recent memory when its network was breached by attackers, who managed to gain access to the code repository of the Orion IT management platform.

Using that network presence, the attackers were able to set up their own virtual machines and get a close look at the basic code behind Orion. This eventually allowed the intruders, believed to be a group acting on behalf of the Russian government, to slip a backdoor into development versions of Orion.

Those poisoned updates were eventually pushed out to thousands of customers worldwide, resulting in dozens of network breaches at U.S. government agencies, technology companies and other organizations.

While there are thus far no indications that the Serv-U attacks will be anywhere near the scale of the Orion supply chain incident, SolarWinds urged customers to make sure their file servers (both Transfer and FTP) are running versions 15.2.3 or later.

Next Steps

Matt Tait warns of 'stolen' zero-day vulnerabilities

SEC charges SolarWinds for security failures, fraud

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing