CVE-2021-35250
published 2022-04-25CVE-2021-35250: A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server…
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.40%
96.2th percentile
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u | — | — |
| solarwinds | serv-u | >= 15.3 only < 15.3 Hotfix 1 | 15.3 Hotfix 1 |
Detection & IOCsextracted from sources · hover to see the quote
url/?Command=NOOP&InternalFile=../../../../../../../../../../../../../../Windows/win.ini&NewWebClient=1↗
- →Exploit sends a POST request to /?Command=NOOP with the InternalFile parameter set to a path-traversal string targeting Windows/win.ini; response body containing [fonts], [extensions], or [files] sections confirms successful traversal. ↗
- →Successful exploitation returns HTTP 401 status alongside win.ini content in the response body — match on both status 401 AND regex \[(font|extension|file)s\] to confirm exploitation. ↗
- →Shodan queries for exposed Serv-U instances: search for product:"Rhinosoft Serv-U httpd" or product:"rhinosoft serv-u httpd" to identify attack surface. ↗
- →The InternalFile parameter is the injection point; monitor HTTP POST requests to the Serv-U web interface where InternalFile contains ../ sequences. ↗
- ·The traversal payload targets Windows/win.ini specifically; the vulnerability affects Serv-U 15.3 only — patched in Serv-U 15.3 Hotfix 1. ↗
- ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning unauthenticated remote attackers can trigger the traversal directly against the web interface. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7pjc-f7p6-mpfc: A researcher reported a Directory Transversal Vulnerability in Serv-U 15
ghsa_unreviewed·2022-04-26
CVE-2021-35250 [HIGH] CWE-22 GHSA-7pjc-f7p6-mpfc: A researcher reported a Directory Transversal Vulnerability in Serv-U 15
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.
VulnCheck
SolarWinds Serv-U Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 7.5
CVE-2021-35250 [HIGH] SolarWinds Serv-U Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
SolarWinds Serv-U Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.
Affected: SolarWinds Serv-U
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-24&host_type=src&vulnerability=cve-2021-35250; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-35250; https://d
No detection rules found.
Nuclei
SolarWinds Serv-U 15.3 - Directory Traversal
nuclei·CVSS 7.5
CVE-2021-35250 [HIGH] SolarWinds Serv-U 15.3 - Directory Traversal
SolarWinds Serv-U 15.3 - Directory Traversal
SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2021-35250
info:
name: SolarWinds Serv-U 15.3 - Directory Traversal
author: johnk3r,pdteam
severity: high
description: |
SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exp
https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-3-HotFix-1?language=en_UShttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35250https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-3-HotFix-1?language=en_UShttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35250
2022-04-25
Published
Exploited in the wild