Execute Command Function Allows RCE Vulnerability

(CVE-2021-35223)

Security Advisory Summary

An attacker can abuse the FTP command SITE EXEC for command line obfuscation to conceal the payload which can launch remote code execution (RCE) from the Serv-U Server.

Affected Products

Serv-U 15.2.3 and earlier

Fixed Software Release

Serv-U 15.2.4

Acknowledgments

Exodus Intelligence (exodusintel.com)

Advisory Details

Severity

8.5 High

Advisory ID

CVE-2021-35223

First Published

08/20/2021

Fixed Version

Serv-U 15.2.4

Workarounds

Workaround 1

CVSS Score

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:
C/C:H/I:H/A:H