CVE-2021-35211
published 2021-07-14CVE-2021-35211: Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited…
PriorityP199critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
91.16%
99.8th percentile
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u | < 15.2.3 | 15.2.3 |
| solarwinds | serv-u | — | — |
| solarwinds | serv-u_managed_file_transfer_server_and_serv-u_secured_ftp | >= SolarWinds Serv-U < 15.2.3 HF1 | 15.2.3 HF1 |
Detection & IOCsextracted from sources · hover to see the quote
otherSSH-2.0-Serv-U
version< 15.2.3.742
yara
SSH-2.0-Serv-U banner regex: SSH-2.0-Serv-U_(\d+\.\d+\.\d+)(?:\.(\d+))?
- →Alert on outbound connections to 5.188.86[.]18:443 and 92.118.36[.]199:443, identified as BARBWIRE (FlawedGrace) C2 infrastructure used post-exploitation of CVE-2021-35211. ↗
- →Alert on outbound connections to 5.188.206[.]78, identified as the Cobalt Strike C2 server staged via TRUECORE (Truebot) after CVE-2021-35211 exploitation. ↗
- →Detect injection into cmd.exe by monitoring for remote thread creation in cmd.exe with RWX memory regions containing an MZ (0x4d5a) PE header — a Cobalt Strike beacon injection indicator. ↗
- →Monitor for MBR overwrite events (MBR Killer wiper) on hosts where FlawedGrace was running, triggered as a final destructive action post-exfiltration in CVE-2021-35211-linked intrusions. ↗
- →Detect Truebot C2 DNS resolution for essadonio[.]com (resolving to 45.182.189[.]71), used as the initial callback after Truebot execution following CVE-2021-35211 exploitation. ↗
- ·The C2 IPs (5.188.86[.]18, 92.118.36[.]199, 5.188.206[.]78) and domain (essadonio[.]com) were observed in a May 2023 intrusion attributed to Lace Tempest/FIN11 that leveraged CVE-2021-35211 as an initial access vector; these may not be active or exclusive to CVE-2021-35211 exploitation. ↗
- ·The Nuclei template detection relies on SSH banner version comparison and is passive/informational; it does not confirm active exploitation, only the presence of a vulnerable Serv-U version.
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cpmg-9xq8-3934: Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability
ghsa_unreviewed·2022-05-24
CVE-2021-35211 [CRITICAL] CWE-668 GHSA-cpmg-9xq8-3934: Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
VulnCheck
SolarWinds Serv-U Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.0
CVE-2021-35211 [CRITICAL] CWE-787 SolarWinds Serv-U Remote Code Execution Vulnerability
SolarWinds Serv-U Remote Code Execution Vulnerability
SolarWinds Serv-U contains an unspecified memory escape vulnerability which can allow for remote code execution.
Affected: SolarWinds Serv-U
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/; https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://research.nccgroup.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access; https://research.nccgroup.
CISA
SolarWinds Serv-U Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 10.0
CVE-2021-35211 [CRITICAL] CWE-787 SolarWinds Serv-U Remote Code Execution Vulnerability
Vulnerability: SolarWinds Serv-U Remote Code Execution Vulnerability
Affected: SolarWinds Serv-U
SolarWinds Serv-U contains an unspecified memory escape vulnerability which can allow for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-35211
Remediation Due Date: 2021-11-17
Suricata
ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1 (CVE-2021-35211)
suricata·2021-09-02·CVSS 9.0
CVE-2021-35211 [CRITICAL] ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1 (CVE-2021-35211)
ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1 (CVE-2021-35211)
Rule: alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; threshold:type threshold, track by_dst, count 10, seconds 30; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033893; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_02, mitre_tactic_id TA0001, mitre_tactic_name I
Suricata
ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2 (CVE-2021-35211)
suricata·2021-09-02·CVSS 9.0
CVE-2021-35211 [CRITICAL] ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2 (CVE-2021-35211)
ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2 (CVE-2021-35211)
Rule: alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; content:"|ec 19 0e 80 01|"; distance:0; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033894; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_t
Suricata
ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming)
suricata·2021-07-14
CVE-2021-35211 ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming)
ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming)"; flow:established,to_client; file.data; content:"RhinoSoft"; content:"Serv-U"; distance:0; content:"\\r\\nCRhinoUintAttr\\r\\nLastHour\\r\\n"; fast_pattern; content:".Archive"; content:"Serv-U-Tray.exe"; content:"window.close|28 29|"; reference:md5,2443968bb4d1c9f5e99d4dd09fd754af; reference:url,www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211; classtype:trojan-activity; sid:2033321; rev:2; metadata:attack_target Server, created_at 2021_07_14, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofp
Nuclei
SolarWinds Serv-U FTP - Remote Code Execution
nuclei·CVSS 10.0
CVE-2021-35211 [CRITICAL] SolarWinds Serv-U FTP - Remote Code Execution
SolarWinds Serv-U FTP - Remote Code Execution
SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 contain a remote memory escape caused remote code execution vulnerability, letting attackers gain privileged access, exploit requires remote attacker to send crafted memory operations.
Template:
id: CVE-2021-35211
info:
name: SolarWinds Serv-U FTP - Remote Code Execution
author: pussycat0x
severity: critical
description: |
SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 contain a remote memory escape caused remote code execution vulnerability, letting attackers gain privileged access, exploit requires remote attacker to send crafted memory operations.
impact: |
Attackers can execute arbitrary code with high
Bleepingcomputer
CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
blogs_bleepingcomputer·2026-06-05·CVSS 7.5
CVE-2026-28318 [HIGH] CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
## CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.
Serv-U is the company's Windows and Linux file transfer software that offers Managed File Transfer (MFT) and FTP server capabilities, which allow users to securely exchange files via HTTP/HTTPS, FTP, FTPS, and SFTP.
SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday to patch this denial-of-service vulnerability (tracked as CVE-2026-28318 ) and said it stems from an uncontrolled resource consumption weakness.
"SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service w
Bleepingcomputer
Critical SolarWinds Serv-U flaws offer root access to servers
blogs_bleepingcomputer·2026-02-24·CVSS 9.0
[CRITICAL] Critical SolarWinds Serv-U flaws offer root access to servers
## Critical SolarWinds Serv-U flaws offer root access to servers
## Sergiu Gatlan
SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers.
Serv-U is the company's self-hosted Windows and Linux file transfer software that comes with both Managed File Transfer (MFT) and FTP server capabilities, enabling organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S.
The most severe of the four security flaws patched by SolarWinds today in Serv-U 15.5.4 is tracked as CVE-2025-40538, and it allows attackers with high privileges to gain root or admin permissions on vulnerable servers.
"A broken access control vulnerability exists in Serv-U which, when exploited, gives
Tenable
CVE-2024-28995: SolarWinds Serv-U Path/Directory Traversal Vulnerability Exploited in the Wild
blogs_tenable·2024-06-21·CVSS 8.6
[HIGH] CVE-2024-28995: SolarWinds Serv-U Path/Directory Traversal Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Ransomware Roundup - Cl0p | FortiGuard Labs
blogs_fortinet·2023-07-21·CVSS 9.8
[CRITICAL] Ransomware Roundup - Cl0p | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Ransomware Roundup - Cl0p
By Shunichi Imano and James Slaughter | July 21, 2023
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the Cl0p ransomware.
Affected platforms: Microsoft Windows, Linux
Impacted parties: Microsoft Windows, Linux Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files
Severity level: High
Recently, the Cl0p ransomware group received
Dfir Report
A Truly Graceful Wipe Out
blogs_dfir_report·2023-06-12
A Truly Graceful Wipe Out
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-07-15
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Securing Critical Infrastructure: What We've Learned from Recent Incidents
blogs_tenable·2022-07-14
Securing Critical Infrastructure: What We've Learned from Recent Incidents
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Clop im Rampenlicht
blogs_trendmicro·2022-03-16
Clop im Rampenlicht
## Clop im Rampenlicht
Die Bande hinter der Clop-Ransomware hat sich in der Welt der Cyberkriminalität gut etabliert und gilt aufgrund ihrer sich ständig ändernden Taktiken, Techniken und Verfahren als Trendsetter. Unsere Analyse macht deutlich, warum diese Ransomware berüchtigt ist.
By: Trend Micro Mar 16, 2022 Read time: ( words)
Save to Folio
Originalartikel von Trend Micro Research
Clop (manchmal auch "Cl0p") war in den letzten drei Jahren eine der produktivsten Ransomware-Familien. Sie ist dafür berüchtigt, mit mehrstufigen Erpressungstechniken hochrangige Unternehmen in verschiedenen Branchen weltweit kompromittiert zu haben. Dies führte bis November 2021 zu Zahlungen, die auf 500 Millionen US-Dollar geschätzt werden. Die weltweiten Bestrebungen, Ransomware-Kartelle zu zerschlag
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Tenable
CVE-2021-35211: SolarWinds Serv-U Managed File Transfer Zero-Day Vulnerability Exploited in Targeted Attacks
blogs_tenable·2021-07-14·CVSS 9.0
[CRITICAL] CVE-2021-35211: SolarWinds Serv-U Managed File Transfer Zero-Day Vulnerability Exploited in Targeted Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploithttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploithttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35211
2021-07-14
Published
2021-11-03
Added to CISA KEV
Exploited in the wild