CriticalCISA KEVExploited in the wildPublic exploit

RCE in SolarWinds Serv-U Managed File Transfer and Secure FTP

IdentifiersCVE-2021-35211CWE-94

CVE-2021-35211 is a remote code execution vulnerability in SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2. Microsoft discovered the flaw and SolarWinds described it as a remote memory escape vulnerability. The issue is exploitable via the SSH protocol and affects deployments where the vulnerable Serv-U SSH functionality is exposed. Reporting cited in the content indicates exploitation can cause the Serv-U process to spawn an attacker-controlled subprocess, enabling execution of malicious commands with elevated privileges on the host running Serv-U. Observed exploitation artifacts include Serv-U log exceptions such as "EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();".

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to execute arbitrary code/commands on the vulnerable Serv-U server with elevated privileges. This can provide privileged access to the machine hosting Serv-U, enabling installation of programs, deployment of follow-on tooling such as Cobalt Strike, viewing/modification/deletion of data, reconnaissance, lateral movement, persistence, and ultimately ransomware deployment or espionage activity. The content states the impact is limited to the machine hosting Serv-U and does not imply compromise of other SolarWinds products.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable SSH access/functionality on affected Serv-U installations, as the vulnerability is exploitable via SSH and the content states disabling SSH prevents exploitation. Additionally, review SolarWinds and Microsoft indicators of compromise, inspect Serv-U DebugSocketLog.txt for suspicious exceptions, review PowerShell Script Block Logging/Event ID 4104 around the time of Serv-U exceptions, and check for persistence mechanisms such as RegIdleBackup scheduled task hijacking and anomalous CLSID registry entries.

Remediation

Patch, then assume compromise.

Upgrade SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP to Serv-U 15.2.3 HF2 or later. SolarWinds released 15.2.3 HF2 as the hotfix for this vulnerability and advised customers running 15.2.3 HF1 or older versions to update immediately. The fix is also included in subsequent software updates.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SolarWindsServ-Uapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app

help net securityNews

Jun 8, 2026

CISA: Patch actively exploited SolarWinds Serv-U DoS vulnerability (CVE-2026-28318) - Help Net Security

A remote code execution vulnerability in SolarWinds Serv-U that was exploited as a zero-day for espionage and later by the Cl0p ransomware group.

bleeping computerNews

Jun 5, 2026

CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers

A SolarWinds Serv-U remote code execution vulnerability that was exploited by both ransomware operators and a named threat actor in attacks against corporate networks.

the hacker newsNews

Feb 25, 2026

SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution

A prior SolarWinds Serv-U vulnerability referenced as having been exploited by malicious actors (details not provided in the content).

bleeping computerNews

Feb 24, 2026

Critical SolarWinds Serv-U flaws offer root access to servers

A SolarWinds Serv-U Secure FTP remote code execution vulnerability that has been exploited by both cybercrime and state-sponsored actors, including in ransomware intrusions and zero-day attacks.

+9 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence12

Every observed campaign linking this CVE to a named adversary.

Associated malware15

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-35211

NVD

nvd.nist.gov/vuln/detail/CVE-2021-35211

MITRE CWE · CWE-94

cwe.mitre.org

Patch

microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit

Patch

solarwinds.com/trust-center/security-advisories/cve-2021-35211

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35211