Two unpatched vulnerabilities in SolarWinds Serv-U

Information security specialists reported the finding of two critical vulnerabilities affecting SolarWinds Serv-U. According to the report, successful exploitation of these flaws would allow the deployment of multiple attack scenarios.

Below are brief reports of the detected flaws, in addition to their tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-35245: The affected application does not properly impose security restrictions, which would allow remote threat actors to access to the Serv-U Console and move, create and even delete arbitrary files on the affected systems.  

This is a low severity flaw and received a CVSS score of 6/10.

CVE-2021-35242: On the other hand, this flaw exists due to the inadequate validation of the HTTP requests origins. This condition may allow malicious hackers to redirect web browser users to a specially crafted website and perform arbitrary actions on the affected system.  

The flaw received a CVSS score of 6.5/10 and its successful exploitation would lead to a cross-site request forgery (CSRF) attack.

According to the report, the flaws reside in the following Serv-U FTP Server versions: 15.1, 15.1.1, 15.1.2, 15.1.3, 15.1.3 HF1, 15.1.3 HF2, 15.1.4, 15.1.5, 15.1.6, 15.1.6 HF1, 15.1.6 HF2, 15.1.6 HF3, 15.1.6 HF4, 15.1.6 HF5,, 15.1.7, 15.1.7 HF1, 15.1.7 HF2, 15.1.7 HF3, 15.1.7 HF4, 15.1.7 HF5, 15.2, 15.2.1, 15.2.2, 15.2.2 HF1, 15.2.3, 15.2.3 HF1, 15.2.3 HF2, 15.2.4 & 15.2.4 HF1.

The flaws can be exploited by remote threat actors using specially crafted request to the affected application, even though there are no indications of active exploitation. Still, users of affected implementations are encouraged to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.