Microsoft discovers SolarWinds zero-day exploited in the wild
US software company SolarWinds has released security updates on Saturday to patch a vulnerability in its Serv-U file transferring technology that is being actively exploited in the wild.
The attacks and the vulnerability were discovered by Microsoft, SolarWinds said in a security advisory published over the weekend.
Tracked as CVE-2021-35211, the vulnerability is a remote code execution (RCE) bug that can be exploited via the SSH protocol to run malicious code with elevated privileges on SolarWinds applications.
The Texas-based company said the vulnerable Serv-U technology was only included with the Serv-U Managed File Transfer and Serv-U Secure FTP products and that no other SolarWinds application is affected.
- Neither SolarWinds nor Microsoft said when the attacks abusing CVE-2021-53211 started nor who was behind them.
- A Serv-U hotfix was released on Friday, July 9, 2021 — v15.2.3 HF2.
- SolarWinds shared some indicators of compromise (IOCs) related to the attacks in its security advisory. We will not be reproducing them here in case SolarWinds updates the IOCs.
- All Serv-U versions prior to v15.2.3 HF2, released on Friday, are vulnerable to attacks.
- Disabling SSH access on the two affected products prevents exploitation.
- According to a Censys search query, there are more than 8,200 SolarWinds Serv-U systems exposing their SSH port online.
We detected mass scanning activity from 22.214.171.124 (🇨🇦) between 2021-05-28T08:54:22Z and 2021-05-28T16:02:45Z.— Bad Packets (@bad_packets) July 13, 2021
Basic web scan targeting port 443/tcp – no exploit attempt or payload. Assuming it was a recon scan in this case. pic.twitter.com/Zm31JF4xFS