SolarWinds Serv-U: a state actor's zero-day in yet another file-transfer product

In July 2021, Microsoft reported that a China-nexus threat actor it tracks as DEV-0322 was exploiting CVE-2021-35211, a zero-day remote code execution flaw in SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP. The SolarWinds name carries baggage, the company was at the center of the SUNBURST supply-chain compromise months earlier, but this is a separate product and a separate bug: a memory-corruption flaw in Serv-U’s SSH component that, when exploited, gave the attacker code execution on the server, after which they could install programs, view and alter data, and run with the privileges of the Serv-U process.

What the bug is

The vulnerability lay in how Serv-U handled certain SSH connections; a crafted connection could corrupt memory and lead to RCE. SolarWinds patched it (Serv-U 15.2.3 hotfix 2 and later) shortly after detection. CISA added it with the ransomware flag. Exploitation was targeted (a state actor using it as a zero-day) rather than mass scanning, but Serv-U is internet-facing by design, so any exposed unpatched instance was at risk.

The lesson: file-transfer products are a category target, full stop

Serv-U joins a long catalog roster, MOVEit, GoAnywhere, Accellion, Cleo, WS_FTP, Aspera, of managed-file-transfer products exploited for initial access and data theft. The reason is consistent: MFT software is internet-facing (it has to receive files), it concentrates sensitive data, and it’s run by organizations that often forget it’s a critical server. Serv-U adds the data point that it’s not just ransomware crews mining this category; nation-state actors burn zero-days on it too. If you run any MFT product, treat it as a high-value, actively-hunted target regardless of vendor.

What to do

• Patch Serv-U to a fixed version (15.2.3 HF2+), and stay current on SolarWinds advisories. Treat MFT patches as emergency-grade.
• Restrict and minimize internet exposure. Serv-U needs to receive connections, but limit which networks and protocols are exposed, and front it with access controls where the workflow allows.
• Inventory all your file-transfer software, keep it patched, and reduce how many MFT products you run.
• Assume targeted compromise on exposed, unpatched instances during the 2021 window; hunt for the Serv-U process spawning unexpected children and post-exploitation activity, and rotate credentials and review the data the server handled.
• Defend against exfiltration, the goal for most MFT attacks is the data; monitor large outbound transfers.

The reframe is to put managed file transfer on your list of permanently-targeted software categories, alongside VPN gateways and email servers. SolarWinds Serv-U is one more entry in a pattern that ransomware crews and nation-states both exploit relentlessly: internet-facing software sitting on a pile of sensitive data. Patch it fast, shrink its exposure, and assume the next MFT zero-day is already being looked for. We track the file-transfer entries as one ongoing story because, across vendors, they keep being the door.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2021-35211 — 2021-07
• Microsoft: Microsoft discovers threat actor targeting SolarWinds Serv-U software (DEV-0322) — 2021-07-13
• SolarWinds Serv-U security advisory (CVE-2021-35211) — 2021-07