CVE-2018-15906

Vulnerability

SolarWinds Serv-U FTP Server version 15.1.6 contains a vulnerability in the Import feature that allows remote authenticated users to execute arbitrary code by modifying a CSV file. The exact mechanism is not detailed in the available references, but the flaw is triggered during the import process of a crafted CSV file.

Exploitation

An attacker must have valid credentials to authenticate to the FTP server. Once authenticated, they can leverage the Import feature and supply a specially modified CSV file. The attacker does not require any additional privileges beyond standard user access. The exploitation steps involve uploading or providing the malicious CSV file to the Import functionality.

Impact

Successful exploitation results in arbitrary code execution on the server running SolarWinds Serv-U FTP Server 15.1.6. The attacker gains the ability to execute commands with the privileges of the FTP server process, potentially leading to full compromise of the affected system.

Mitigation

As of the publication date (March 17, 2019), no official patch has been released for this vulnerability. Users are advised to restrict access to the Import feature to trusted users only, or to upgrade to a newer version of SolarWinds Serv-U FTP Server if a fix becomes available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.