cbcvebase.
CVE-2021-35211
published 2021-07-14

CVE-2021-35211: Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited…

PriorityP199critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
91.16%
99.8th percentile
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
solarwindsserv-u< 15.2.315.2.3
solarwindsserv-u
solarwindsserv-u_managed_file_transfer_server_and_serv-u_secured_ftp>= SolarWinds Serv-U < 15.2.3 HF115.2.3 HF1

Detection & IOCsextracted from sources · hover to see the quote

otherSSH-2.0-Serv-U
version< 15.2.3.742
ip5.188.86[.]18
ip92.118.36[.]199
ip5.188.206[.]78
ip45.182.189[.]71
domainessadonio[.]com
urlhxxps[:]//hrcbishtek[.]com/{5 alphanumeric characters}
urlhxxps[:]//imsagentes[.]pe/dgrjfj
urlhxxps[://]ecorfan[.]org/base/sj/Document_may_24_16654[.]exe
filenameDocument_may_24_16654.exe
yara
SSH-2.0-Serv-U banner regex: SSH-2.0-Serv-U_(\d+\.\d+\.\d+)(?:\.(\d+))?
  • Alert on outbound connections to 5.188.86[.]18:443 and 92.118.36[.]199:443, identified as BARBWIRE (FlawedGrace) C2 infrastructure used post-exploitation of CVE-2021-35211.
  • Alert on outbound connections to 5.188.206[.]78, identified as the Cobalt Strike C2 server staged via TRUECORE (Truebot) after CVE-2021-35211 exploitation.
  • Detect injection into cmd.exe by monitoring for remote thread creation in cmd.exe with RWX memory regions containing an MZ (0x4d5a) PE header — a Cobalt Strike beacon injection indicator.
  • Monitor for MBR overwrite events (MBR Killer wiper) on hosts where FlawedGrace was running, triggered as a final destructive action post-exfiltration in CVE-2021-35211-linked intrusions.
  • Detect Truebot C2 DNS resolution for essadonio[.]com (resolving to 45.182.189[.]71), used as the initial callback after Truebot execution following CVE-2021-35211 exploitation.
  • ·The C2 IPs (5.188.86[.]18, 92.118.36[.]199, 5.188.206[.]78) and domain (essadonio[.]com) were observed in a May 2023 intrusion attributed to Lace Tempest/FIN11 that leveraged CVE-2021-35211 as an initial access vector; these may not be active or exclusive to CVE-2021-35211 exploitation.
  • ·The Nuclei template detection relies on SSH banner version comparison and is passive/informational; it does not confirm active exploitation, only the presence of a vulnerable Serv-U version.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.