CVE-2021-35211
CVE-2021-35211 is a critical-severity vulnerability in Solarwinds Serv-u with a CVSS 3.x base score of 9.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-787.
Key facts
- Severity: Critical (CVSS 3.x base score 9.0)
- CVSS v2: 10.0
- EPSS exploit prediction: 91% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-21854
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-787
- Affected product: Solarwinds Serv-u
- Published:
- Last modified:
Description
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
CVE-2021-35211: SolarWinds Serv-U Critical RCE via Out-of-Bounds Write
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2021-35211 |
| Vendor | SolarWinds |
| Product | Serv-U Managed File Transfer / Secure FTP for Windows |
| Severity | Critical (CVSS v3: 9.0 / v2: 10.0) |
| CWE | CWE-787 — Out-of-bounds Write |
| EPSS | 0.9116 (99.80th percentile) |
| KEV | Listed since 2021-11-03 |
| CISA KEV | Yes |
Summary
A remote memory-escape vulnerability in SolarWinds Serv-U for Windows allows an unauthenticated attacker to execute arbitrary code with elevated privileges on the host system. Microsoft discovered this flaw in July 2021 while investigating a separate intrusion and observed it being actively exploited as a zero-day by a sophisticated threat actor. The vulnerability stems from an out-of-bounds write (CWE-787) in the Serv-U process, leading to full system compromise without requiring authentication or user interaction.
Background
SolarWinds Serv-U is a widely deployed managed file transfer (MFT) and secure FTP solution used by enterprises to exchange sensitive data with partners and customers. In July 2021, Microsoft's Threat Intelligence Center (MSTIC) identified anomalous activity on a customer's Serv-U instance that did not match known threat actor tradecraft. During the investigation, MSTIC discovered a previously unknown vulnerability in Serv-U that was being exploited in the wild. Microsoft responsibly disclosed the flaw to SolarWinds, which released a hotfix within days. The incident occurred during a period of heightened scrutiny of SolarWinds following the SUNBURST supply-chain compromise, though the two issues are unrelated in technical origin.
Root Cause
The vulnerability is classified as CWE-787: Out-of-bounds Write. Serv-U's handling of incoming network requests contains a memory-safety defect that permits writing beyond the bounds of an allocated buffer. Specifically, the flaw resides in the Windows implementation of the Serv-U daemon and can be triggered by sending a specially crafted request to the service. This remote memory-escape condition allows the attacker to corrupt adjacent memory structures, hijack control flow, and ultimately achieve arbitrary code execution within the Serv-U process. Because Serv-U typically runs with elevated privileges on the host, successful exploitation grants the attacker SYSTEM-level access to the underlying Windows machine.
Impact
The CVSS v3.1 vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 9.0 (Critical). The CVSS v2 score is 10.0 (Critical) with vector AV:N/AC:L/Au:N/C:C/I:C/A:C.
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | High (v3) / Low (v2) |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed (v3) |
| Confidentiality Impact | High / Complete |
| Integrity Impact | High / Complete |
| Availability Impact | High / Complete |
The practical impact is severe: an unauthenticated remote attacker can gain complete control over the Windows host running Serv-U. This includes the ability to install persistent backdoors, exfiltrate data transiting the MFT platform, pivot laterally within the network, and disrupt file-transfer operations. The changed-scope metric in CVSS v3.1 reflects that a compromised Serv-U instance can affect resources beyond the immediate software boundary, such as the underlying operating system and adjacent network segments.
Exploitation Walkthrough
Ethics caveat: The following description is provided for defensive awareness only. It contains no weaponized exploit code and is derived from publicly disclosed information by Microsoft and SolarWinds. Attempting to exploit systems without authorization is illegal and unethical.
The attack is network-based and targets the Serv-U service running on its default or configured listening port. The threat actor sends a malformed request that triggers the out-of-bounds write condition in Serv-U's request-processing logic. Due to the memory-escape nature of the flaw, the attacker can overwrite function pointers or other control structures to redirect execution to attacker-supplied shellcode within the process address space. Because Serv-U runs with high privileges on Windows, the executed code inherits these privileges, effectively granting SYSTEM-level access. Microsoft noted that the observed exploitation was "sophisticated," suggesting the attacker had developed a reliable exploit prior to public disclosure. No authenticated session or user interaction is required.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | SolarWinds Serv-U for Windows before 15.2.3 HF2 |
| Affected | Serv-U 15.2.3 (base release) |
| Affected | Serv-U 15.2.3 Hotfix 1 |
| Patched | Serv-U 15.2.3 Hotfix 2 (HF2) and later |
SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows are the affected product lines. Linux-based Serv-U deployments are not impacted by this specific vulnerability. Organizations should verify their installed version through the Serv-U Management Console or by checking the executable file properties on the host.
Remediation
- Upgrade immediately. Apply SolarWinds Serv-U version 15.2.3 Hotfix 2 (HF2) or later. This is the primary and most effective remediation.
- Apply compensating controls if immediate patching is not feasible:
- Restrict network access to Serv-U management and file-transfer ports to authorized IP ranges via host firewall or network ACLs.
- Disable the Serv-U SSH/SFTP listener if it is not required for business operations.
- Place Serv-U hosts in an isolated network segment with restricted outbound connectivity to prevent lateral movement.
- Review accounts and persistence. On hosts that were running vulnerable versions, inspect for unauthorized local accounts, scheduled tasks, services, or binaries that may indicate prior compromise.
- Monitor for indicators. Review Serv-U logs, Windows Event Logs, and network traffic for anomalous connections or process executions prior to the patch date.
Detection
Defenders can implement the following detection strategies:
- Network monitoring: Alert on unexpected inbound connections to Serv-U ports from untrusted source IPs, particularly if they precede anomalous process spawning on the host.
- Endpoint detection: Monitor for unexpected child processes spawned by
Serv-U.exeor the Serv-U Windows service. Legitimate Serv-U operations should not spawn command shells, scripting engines, or unknown binaries. - Memory integrity: Where available, enable exploit-protection features such as Windows Defender Exploit Guard or third-party EDR memory-protection modules to detect stack/heap corruption attempts.
- Log analysis: Correlate Serv-U access logs with Windows Security Event ID 4688 (process creation) to identify suspicious process chains originating from the Serv-U service account.
- File integrity: Monitor the Serv-U installation directory for unauthorized modifications to executables or configuration files.
Assessment
With an EPSS score of 0.9116 (placing it in the 99.80th percentile of all CVEs), this vulnerability carries an exceptionally high probability of exploitation in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog since November 2021, combined with Microsoft's confirmation of active zero-day exploitation, makes this a clear priority-one patching target for any organization running the affected product.
Key lessons:
- Memory-unsafe code in network-facing services remains a high-yield attack surface. Even established enterprise software can harbor critical memory-safety defects that grant unauthenticated remote control. Where possible, organizations should evaluate managed file transfer solutions built on memory-safe languages or with robust sandboxing.
- Threat actor interest in edge infrastructure is persistent. Serv-U sits at the network perimeter, making it an attractive target for initial access. Security teams should apply defense-in-depth principles—network segmentation, endpoint monitoring, and strict ingress filtering—to limit the blast radius of compromises in edge services.
References
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35211
Frequently asked questions
- What is CVE-2021-35211?
- Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
- How severe is CVE-2021-35211?
- CVE-2021-35211 has a CVSS 3.x base score of 9.0, rated critical severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-35211 being actively exploited?
- Yes. CVE-2021-35211 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-35211?
- CVE-2021-35211 primarily affects Solarwinds Serv-u. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-35211?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-35211 have an EU (EUVD) identifier?
- Yes. CVE-2021-35211 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-21854. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-35211 published?
- CVE-2021-35211 was published on 2021-07-14 and last updated on 2026-06-17.
References
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35211
Affected products (3)
- cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*
- cpe:2.3:a:solarwinds:serv-u:15.2.3:-:*:*:*:*:*:*
- cpe:2.3:a:solarwinds:serv-u:15.2.3:hotfix1:*:*:*:*:*:*
More vulnerabilities in Solarwinds Serv-u
- CVE-2020-35481 — Critical (CVSS 9.8): SolarWinds Serv-U before 15.2.2 allows Unauthenticated Macro Injection.
- CVE-2025-40541 — Critical (CVSS 9.1): An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious…
- CVE-2025-40540 — Critical (CVSS 9.1): A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute…
- CVE-2025-40539 — Critical (CVSS 9.1): A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute…
- CVE-2025-40538 — Critical (CVSS 9.1): A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to…
- CVE-2025-40549 — Critical (CVSS 9.1): A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to…
All CVEs affecting Solarwinds Serv-u →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…