SolarWinds, the US software vendor that was a target of a massive supply chain attack last December, has released a security update to address a zero-day vulnerability actively exploited by hackers in real-world attacks.
The zero-day bug (CVE-2021-35211) is a remote code execution vulnerability affecting the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP solutions. The vulnerability exists due to a boundary error. A remote attacker can send a specially crafted request to the Serv-U server, trigger memory corruption and execute arbitrary code on the target system.
The issue impacts Serv-U 15.2.3 HF1 and all prior Serv-U versions, the vendor said.
According to SolarWind’s advisory, the flaw was discovered and reported to the company by researchers at Microsoft. The company said the attacks exploiting CVE-2021-35211 affected only a small subset of its customers.
Neither SolarWinds, nor Microsoft did not share when these attacks started, or who was behind them.