SolarWinds Serv-u File Server Command Injection Vulnerability


The Serv-U File Server supports site specific commands which may not be universally supported by all FTP clients. Among these is the SITE EXEC command which allows a user to execute programs and scripts remotely, if the execute permission is present on the folder where a given program / script resides. A command injection vulnerability exists in this functionality due to improper sanitization of user-supplied parameters provided to the ShellExecuteExW routine. Successful exploitation results in arbitrary command execution under the context of the file server.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-d3400c52
  • MITRE CVE: CVE-2021-35223

Vulnerability Metrics

  • CVSSv2 Score: 9.4

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: May 14th, 2021
  • Disclosed to public: September 24th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.