Execute Command Function Allows Remote Code Execution (RCE)Vulnerability
CVE-2021-35223

8.5HIGH

Key Information:

Vendor: Solarwinds
Status: Serv-u
Vendor: CVE Published:; 31 August 2021

Summary

The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote code execution.

Affected Version(s)

Serv-U 15.2.3 and previous versions <= 15.2.4

References

https://support.solarwinds.com/SuccessCenter/s/article/Ex...

x_refsource_MISC

https://documentation.solarwinds.com/en/success_center/se...

x_refsource_MISC

https://www.solarwinds.com/trust-center/security-advisori...

x_refsource_MISC

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 31, 2021
Vulnerability Reserved
Jun 22, 2021

Credit

SolarWinds would like to thank Exodus Intelligence (exodusintel.com) for reporting on the issue in a responsible manner