CVE-2018-19999
Description
The local management interface in SolarWinds Serv-U FTP Server 15.1.6.25 has incorrect access controls that permit local users to bypass authentication in the application and execute code in the context of the Windows SYSTEM account, leading to privilege escalation. To exploit this vulnerability, an attacker must have local access the the host running Serv-U, and a Serv-U administrator have an active management console session.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SolarWinds Serv-U FTP Server 15.1.6.25 and earlier has broken access controls allowing local users to bypass authentication and execute code as SYSTEM.
Vulnerability
The local management interface in SolarWinds Serv-U FTP Server version 15.1.6.25 and earlier has incorrect access controls that permit local users to bypass authentication. This vulnerability requires the attacker to have local access to the host and a Serv-U administrator to have an active management console session [1].
Exploitation
An attacker with local access to the Serv-U server can exploit the broken access controls to bypass authentication. The attacker must have a local user account on the Windows host, and a Serv-U administrator must have an active management console session. The exact exploitation steps are not detailed in the reference, but the authentication bypass allows arbitrary code execution [1].
Impact
Successful exploitation allows the attacker to execute code in the context of the Windows SYSTEM account, resulting in complete compromise of the affected system (privilege escalation from local user to SYSTEM). This leads to full control over the host [1].
Mitigation
The vulnerability is fixed in Serv-U FTP Server version 15.1.7. Users should upgrade to this version or later. No workarounds are mentioned in the available references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- SolarWinds/Serv-U FTP Serverdescription
- Range: =15.1.6.25
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- seclists.org/fulldisclosure/2019/May/46mitrex_refsource_MISC
- www.themissinglink.com.au/security-advisories-cve-2018-19999mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.