Microsoft says new SolarWinds zero-day was exploited by China-based threat actor

Microsoft says new SolarWinds zero-day was exploited by China-based threat actor

Microsoft has shared additional details on attacks exploiting a recently patched zero-day vulnerability in the SolarWinds Serv-U FTP server. According to the tech giant, the vulnerability was targeted in a campaign conducted by a threat actor tracked as DEV-0322, which operates out of China and was previously observed targeting entities in the U.S. Defense Industrial Base Sector and software companies.

“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” Microsoft said.

Over the weekend, SolarWinds released a security update to address a zero-day vulnerability (CVE-2021-35211) impacting Serv-U 15.2.3 HF1 and all prior Serv-U versions. The flaw exists in Serv-U’s implementation of the Secure Shell (SSH) protocol.

“If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data,” according to Microsoft.

The company said it discovered the DEV-0322 attacks after its Microsoft 365 Defender solution detected malicious processes spawning from Serv-U’s main application, which prompted an investigation that resulted in discovery of the zero-day vulnerability and the ongoing attacks.

"We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands," Microsoft explained in a blog post.

The threat actor has been also observed adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.

A Censys search query has shown that there are 8,344 SolarWinds Serv-U systems with SSH port exposed online.


Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025