Unrated severityNVD Advisory· Published May 17, 2022· Updated Sep 16, 2024

Domain Admin Broken Access Control

CVE-2021-35249

Description

This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A SolarWinds Serv-U domain admin can read configuration and user data from other domains due to a broken access control flaw, allowing data leak with incomplete audit logging.

Vulnerability

A broken access control vulnerability exists in SolarWinds Serv-U versions 15.3 and earlier [1]. A domain administrator can access configuration and user data of other domains that they should not have access to. The admin is unable to modify the data (read-only operation) but can view sensitive information [1].

Exploitation

An authenticated domain administrator can exploit this flaw by leveraging their existing permissions to access data belonging to other domains. The attacker must have domain admin privileges within the Serv-U environment. The read-only activity is logged to the original domain but does not specify which domain was accessed, only logging the activity if the user attempts to modify data [1]. No user interaction is required beyond the initial authentication.

Impact

Successful exploitation leads to a data leak of configuration and user data from unauthorized domains. The attacker gains read access to sensitive information they should not have, resulting in a breach of confidentiality. There is no impact on integrity or availability, as the operation is read-only [1].

Mitigation

The vulnerability is fixed in Serv-U version 15.3.1, released on the same date as the advisory (May 17, 2022) [1]. Users should upgrade to version 15.3.1 or later. No workarounds are provided in the available references.

References

SolarWinds Trust Center Security Advisories | CVE-2021-35249

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Rhinosoft/Serv Ullm-fuzzy
Range: <15.3.1
SolarWinds/Serv-U MFTcpe-rescue
Range: 15.3 and previous versions

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3-1_release_notes.htmmitrex_refsource_MISC
www.solarwinds.com/trust-center/security-advisories/CVE-2021-35249mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000