Attackers have been exploiting a newly discovered zero-day flaw in SolarWinds software, the security vendor has warned.
The vulnerability exists in Serv-U Managed File Transfer Server and Serv-U Secured FTP. SolarWinds has urged all users to immediately install an emergency security update it issued on Friday to mitigate the flaw.
Designated CVE-2021-35211, “the vulnerability exists in the latest Serv-U version 15.2.3 HF1, designed for cross-platform file sharing, released May 5, and all prior versions,” SolarWinds says in a security alert issued Friday. “A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system.”