Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks


Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets.

Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an “input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation,” Microsoft Threat Intelligence Center (MSTIC) said.

The flaw, which was discovered by security researcher Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior, and has been addressed in Serv-U version 15.3.

Read more…