Broken Access Control Vulnerability for SolarWinds Serv-U

Vulnerability

This vulnerability (CVE-2021-35245) is a broken access control flaw in SolarWinds Serv-U Console. An authenticated user with administrative rights can move, create, and delete any files that are accessible on the Serv-U host machine. The affected versions include Serv-U 15.2.4 HF1 and all earlier releases [1].

Exploitation

An attacker must have a valid account with administrative privileges on the Serv-U Console. The attacker can then use the console's file management capabilities to move, create, or delete files and directories anywhere on the host filesystem that the Serv-U service account has access to. No further user interaction or additional privileges are required beyond admin rights [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary file operations on the Serv-U host, which can lead to data destruction, denial of service, or the introduction of malicious files. Since the attacker can move or delete critical system files, this may result in complete compromise of the host system's integrity and availability. The scope of impact is high, as the file operations are not restricted to the Serv-U application directory [1].

Mitigation

The vulnerability is fixed in Serv-U version 15.2.5 [1]. Users should upgrade to this version or later. No workarounds have been publicly disclosed by the vendor. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog as of this writing.