Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

RCE in SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP

IdentifiersCVE-2021-35211CWE-787· Out-of-bounds Write

CVE-2021-35211 is a remote code execution vulnerability in SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows. The issue affects Serv-U 15.2.3 HF1 and earlier, and has been described by SolarWinds/Microsoft reporting as a remote memory escape vulnerability reachable via the SSH protocol. Public reporting indicates exploitation can trigger an exception in the SSH handling path, including log artifacts referencing "CSUSSHSocket::ProcessReceive()", after which the Serv-U process may spawn an attacker-controlled subprocess. Successful exploitation allows arbitrary command or code execution with elevated privileges on the host running Serv-U. The vulnerability was exploited in the wild by multiple threat actors, including activity attributed by Microsoft to DEV-0322 and later abuse by TA505/FIN11/Clop for initial access.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables unauthenticated remote code execution against a vulnerable internet-exposed Serv-U server over SSH, with elevated privileges on the Serv-U host. In observed intrusions, attackers used this access to execute commands, deploy Cobalt Strike, conduct reconnaissance and lateral movement, establish persistence, and ultimately support ransomware or data-theft operations. SolarWinds reporting also indicates attackers could install programs and view, modify, or delete data on the affected system.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable SSH access/functionality on affected Serv-U installations, as vendor reporting states exploitation occurs via SSH and that disabling SSH prevents exploitation. Additionally, restrict external exposure of Serv-U services, especially SSH/port 22, and review compromise indicators such as Serv-U DebugSocketLog.txt exceptions (notably "EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();"), suspicious PowerShell activity including Event ID 4104, and abuse of the RegIdleBackup scheduled task/associated CLSID registry entries.

Remediation

Patch, then assume compromise.

Upgrade SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP to Serv-U 15.2.3 HF2 or later. SolarWinds released 15.2.3 HF2 as the hotfix addressing CVE-2021-35211 and advised customers running vulnerable versions to update immediately. Future releases were stated to include the fix as well.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SolarWindsServ-Uapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
the hacker newsNews
Feb 25, 2026
SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution

A prior SolarWinds Serv-U vulnerability referenced as having been exploited by malicious actors (details not provided in the content).

Read more
bleeping computerNews
Feb 24, 2026
Critical SolarWinds Serv-U flaws offer root access to servers

A SolarWinds Serv-U Secure FTP remote code execution vulnerability that has been exploited by both cybercrime and state-sponsored actors, including in ransomware intrusions and zero-day attacks.

Read more
nuclei templates pull requestsNews
Oct 20, 2025
Create CVE-2021-35211 (KEV)(Passive)

Unknown

Read more
the record mediaNews
Dec 13, 2022
Microsoft discovers SolarWinds zero-day exploited in the wild | The Record from Recorded Future News

A remote code execution vulnerability in SolarWinds Serv-U file transfer technology exploitable over SSH, enabling execution of malicious code with elevated privileges.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence10

Every observed campaign linking this CVE to a named adversary.

Associated malware13

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2021-35211
NVD
nvd.nist.gov/vuln/detail/CVE-2021-35211
MITRE CWE · CWE-787
Out-of-bounds Write
Patch
microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit
Patch
solarwinds.com/trust-center/security-advisories/cve-2021-35211
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35211