cbcvebase.
CVE-2021-35250
published 2022-04-25

CVE-2021-35250: A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.40%
96.2th percentile
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

Affected

2 ranges
VendorProductVersion rangeFixed in
solarwindsserv-u
solarwindsserv-u>= 15.3 only < 15.3 Hotfix 115.3 Hotfix 1

Detection & IOCsextracted from sources · hover to see the quote

url/?Command=NOOP&InternalFile=../../../../../../../../../../../../../../Windows/win.ini&NewWebClient=1
path../../../../../../../../../../../../../../Windows/win.ini
  • Exploit sends a POST request to /?Command=NOOP with the InternalFile parameter set to a path-traversal string targeting Windows/win.ini; response body containing [fonts], [extensions], or [files] sections confirms successful traversal.
  • Successful exploitation returns HTTP 401 status alongside win.ini content in the response body — match on both status 401 AND regex \[(font|extension|file)s\] to confirm exploitation.
  • Shodan queries for exposed Serv-U instances: search for product:"Rhinosoft Serv-U httpd" or product:"rhinosoft serv-u httpd" to identify attack surface.
  • The InternalFile parameter is the injection point; monitor HTTP POST requests to the Serv-U web interface where InternalFile contains ../ sequences.
  • ·The traversal payload targets Windows/win.ini specifically; the vulnerability affects Serv-U 15.3 only — patched in Serv-U 15.3 Hotfix 1.
  • ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning unauthenticated remote attackers can trigger the traversal directly against the web interface.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.