CVE-2021-35247

What is SolarWinds Serv-U?

SolarWinds Serv-U is an enterprise FTP/FTPS/SFTP and MFT (Managed File Transfer) server platform used by thousands of organizations for secure file transfer and sharing. Serv-U provides web-based and client-based file transfer interfaces, with authentication backed by LDAP, Active Directory, or local user databases. Because Serv-U handles file transfer authentication and often integrates with enterprise directory services, vulnerabilities in its login flow — particularly those that allow injection into directory queries — can enable user enumeration, authentication bypass, or unauthorized directory access. SolarWinds is a high-value target for sophisticated threat actors following the 2020 SolarWinds Orion supply chain attack, and Serv-U vulnerabilities are closely monitored by nation-state actors.

Overview

CVE-2021-35247 is an improper input validation vulnerability (CWE-20) in SolarWinds Serv-U 15.2.5 and earlier that allows attackers to construct and send queries to Serv-U without proper input sanitization. The vulnerability is present in Serv-U's login request handling — user-supplied input is incorporated into queries (likely LDAP queries for directory-integrated installations) without proper sanitization. An unauthenticated attacker can craft a login request with injected characters to manipulate the underlying query. CISA added this to KEV just 11 days after CVE publication in January 2022, reflecting observed active exploitation by threat actors — including a Chinese APT actor observed exploiting Serv-U vulnerabilities.

Affected Versions

Technical Details

• Root cause: Improper input validation (CWE-20) — user-supplied input in Serv-U's login request (username, connection parameters) is used to construct queries without sanitization; special characters are not properly escaped or validated before being passed to query processing (likely LDAP or SQL queries in the authentication backend)
• Query injection: An attacker can inject characters into the login request that alter the structure of the underlying directory or database query — enabling techniques such as LDAP injection (manipulating LDAP filter syntax) or SQL injection, potentially bypassing authentication or retrieving unauthorized information
• UI:R in context: The User Interaction Required classification in this CVSS context likely reflects that exploitation requires the login request flow to execute (i.e., the normal login process must be initiated), rather than requiring a separate user to take an action
• CISA rapid KEV addition: The 11-day gap between CVE publication (January 10) and KEV addition (January 21) is unusually short — indicating CISA had observed or received credible reports of active exploitation at the time of publication
• APT actor context: Microsoft Threat Intelligence reported a Chinese APT actor (DEV-0322/UNC3524) exploiting SolarWinds Serv-U vulnerabilities; while primarily associated with CVE-2021-35211 (Serv-U RCE), the same actor's interest in Serv-U infrastructure makes CVE-2021-35247 relevant to the same threat cluster

Discovery

Reported to SolarWinds and patched in Serv-U 15.3 released December 2021. CISA's rapid KEV addition in January 2022 suggests active exploitation was observed by federal agencies or threat intelligence partners before or at the time of CVE publication.

Exploitation Context

SolarWinds is a high-priority target for sophisticated threat actors — the 2020 SolarWinds Orion supply chain compromise demonstrated that SolarWinds software is deployed across sensitive government and corporate networks. CVE-2021-35247 in Serv-U represents a lower-severity but actively exploited vulnerability in SolarWinds infrastructure. Query injection in a file transfer server's authentication can enable: user enumeration (identifying valid accounts), authentication bypass in LDAP-integrated deployments, or unauthorized file access. The extremely rapid CISA KEV addition indicates this was being actively leveraged by threat actors against federal or critical infrastructure Serv-U deployments at the time of disclosure.

Remediation

1. Upgrade SolarWinds Serv-U to version 15.3 or later — patches CVE-2021-35247 and all prior Serv-U vulnerabilities
2. If immediate patching is not possible: restrict Serv-U login interfaces to known IP ranges via firewall rules; prevent unauthenticated access to Serv-U from untrusted networks
3. Review Serv-U logs for anomalous login requests with unusual characters or query injection patterns in usernames or connection parameters
4. For LDAP-integrated Serv-U deployments: apply additional input validation at the LDAP query layer; enable LDAP query logging to detect injection attempts
5. Monitor Serv-U for unauthorized file access or unusual transfer activity following any login anomalies
6. Implement multi-factor authentication for Serv-U where supported, and restrict Serv-U admin access to dedicated management networks