Skip to main content

SolarWinds rolls out another emergency patch as new attack vector emerges

(Image credit: Image source: Shutterstock/deepadesigns)

SolarWinds has released a hotfix for two of its tools after being notified of a serious vulnerability that could open the door to remote code execution.

In an advisory, the company explained that Microsoft reported the vulnerability, which affects its Serv-U Managed File Transfer and Serv-U Secure FTP tools. All versions of the Serv-U software up to 15.2.3. HF1 are said to be vulnerable.

Microsoft provided SolarWinds with a proof of concept, demonstrating how the vulnerability could be exploited, adding that at least one threat actor has already used it.

"Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company explained. “SolarWinds is unaware of the identity of the potentially affected customers." 

All SolarWinds customers should log into their Customer Portal to access the updates and should apply the 15.2.3 hotfix 2 immediately. Customers not on active maintenance should give SolarWinds a call, it was added.

SolarWinds is a major target for both private and state-sponsored hacking groups, and was at the center of one of the greatest supply-chain attacks (opens in new tab) ever pulled off. 

Late last year, a cybercriminal syndicate (believed to be Russian state-sponsored group APT29) managed to compromise an update for a SolarWinds product and, through it, gain access to dozens of financial and tech businesses, as well as government organizations.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.