Another zero-day vulnerability in SolarWinds Serv-U product exploited by cyber criminals

SolarWinds security teams are working in fast track aiming to contain the exploitation of an actively exploited zero-day vulnerability. In a recent security alert, the company mentioned a threat actor is taking advantage of security flaws in its Serv-U Managed File Transfer and Serv-U Secure FTP products to launch malware attacks against a limited group of targets.

This vulnerability appears to be unrelated to attacks on the sunburst supply chain and backdoor. Apparently, the attacks were discovered by a Microsoft research team during a routine analysis that yielded intriguing results in the SolarWinds Serv-U product.

“Microsoft sent a proof of concept of the exploit to the affected company, in addition to evidence of exploitation,” the company’s statement said. Microsoft added that it does not have a rough estimate of the number of customers affected and there are no hypotheses about the identity of the attacker.

In response to the report, SolarWinds issued an emergency update addressing the detected vulnerability, present in Serv-U 15.2.3 HF1 and earlier. The company also released some indicators of compromise, though additional details will be kept secret so as not to facilitate exploitation before full patches are released.

“The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system”, SolarWinds stated.

As mentioned at the beginning, SolarWinds rules out that this vulnerability is related to the severe attacks detected a few months ago against its SolarWinds Orion solution, attributed to threat actors based in Russia. These taques have also been linked to hacking groups in China, although these incidents were limited to the delivery of a malware variant, unlike the other incidents related to the installation of a backdoor on the compromised networks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.