What is SolarWinds Serv-U?
SolarWinds Serv-U is an enterprise file transfer server platform supporting FTP, FTPS, SFTP, and HTTPS protocols. Serv-U FTP Server and Serv-U Managed File Transfer (MFT) Server are widely deployed in enterprises, government agencies, and financial institutions as secure file transfer gateways. Serv-U MFT handles sensitive data transfers including regulated data under HIPAA, PCI-DSS, and government compliance frameworks, making it a high-value target for espionage actors seeking to intercept or exfiltrate sensitive files.
Overview
CVE-2021-35211 is a pre-authentication remote code execution vulnerability (CWE-787, out-of-bounds write) in SolarWinds Serv-U's SSH protocol implementation. An attacker with network access to the Serv-U SSH service can send specially crafted SSH connection requests to trigger a memory escape and achieve code execution on the host. Microsoft's Threat Intelligence Center (MSTIC) discovered active exploitation by DEV-0322, a Chinese-nexus threat actor, and notified SolarWinds in July 2021. SolarWinds released an emergency hotfix (15.2.3 HF2) the same day Microsoft published its blog. The CVSS Scope:Changed and Attack Complexity:High metrics reflect the sophisticated SSH exploitation technique that allows escape from the Serv-U process into a broader attack surface.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Serv-U FTP Server 15.2.3 and prior | Yes | 15.2.3 HF2 |
| Serv-U Managed File Transfer Server 15.2.3 and prior | Yes | 15.2.3 HF2 |
Technical Details
The vulnerability exists in Serv-U's SSH protocol stack. When processing SSH connection negotiation, Serv-U improperly handles certain protocol conditions, leading to a memory corruption condition:
- Root cause: Out-of-bounds write (CWE-787) in Serv-U's SSH protocol handling — crafted SSH connection data triggers memory corruption in the SSH daemon process
- Memory escape: The out-of-bounds write allows an attacker to overwrite memory structures beyond the intended buffer, potentially achieving code execution within the Serv-U process context
- Scope: Changed: Exploitation can affect resources beyond the Serv-U process itself — the server may run as a high-privileged account, and successful exploitation can provide access to the underlying OS
- Authentication required: None — the vulnerability is triggered during the SSH connection/handshake phase before any credentials are validated
- Attack Complexity: High — exploiting the memory corruption requires precise knowledge of memory layout and crafted payloads, reflecting the sophistication of DEV-0322's tooling
Discovery
Discovered by Microsoft Threat Intelligence Center (MSTIC) through analysis of active exploitation in the wild. MSTIC identified DEV-0322 (a Chinese-nexus threat actor) as the sole group exploiting this vulnerability before public disclosure. Microsoft immediately notified SolarWinds, who patched within days.
Exploitation Context
DEV-0322 targeted organizations in the US defense industrial base, high-tech sector, and software supply chain using this zero-day. The attack is notable because it occurred less than a year after the SolarWinds SUNBURST supply chain attack (December 2020), keeping SolarWinds products in the crosshairs of advanced threat actors. DEV-0322 used the Serv-U vulnerability for targeted espionage rather than mass exploitation. Limited exploitation was confirmed — this was a precision tool used against specific high-value targets before the patch was released, unlike many KEV entries that see mass ransomware exploitation.
Remediation
- Upgrade to Serv-U 15.2.3 HF2 or later immediately
- If immediate patching is not possible, disable the SSH service in Serv-U (if not business-critical) to eliminate the attack surface
- Restrict Serv-U SSH access to known IP ranges via firewall rules — the service should not be accessible from the open internet without IP allowlisting
- Review Serv-U access logs for unexpected SSH connection attempts, particularly from unusual source IPs or with malformed connection data
- Check for new accounts, modified file transfer policies, or unexpected file access in Serv-U that may indicate compromise prior to patching
- If DEV-0322/Chinese APT targeting is a concern for your organization, engage a threat intelligence provider for indicators of compromise
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-35211 |
| Vendor / Product | SolarWinds — Serv-U |
| NVD Published | 2021-07-14 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-07-09 | Microsoft MSTIC notifies SolarWinds of active zero-day exploitation |
| 2021-07-13 | SolarWinds releases Serv-U 15.2.3 HF2 hotfix |
| 2021-07-13 | Microsoft publishes MSTIC blog attributing exploitation to DEV-0322 (Chinese nexus) |
| 2021-07-14 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| SolarWinds Security Advisory — CVE-2021-35211 | Vendor Advisory |
| Microsoft MSTIC — Threat Actor Targeting SolarWinds Serv-U with 0-Day | Security Research |
| NVD — CVE-2021-35211 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |