The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding the active exploitation of a recently patched high-severity vulnerability affecting SolarWinds Serv-U FTP servers. According to the agency, threat actors are currently leveraging this flaw to crash targeted servers, indicating a shift from theoretical risk to operational impact.
For organizations managing file transfer infrastructure, this is not a drill. The Serv-U application is a prime target for initial access brokers and ransomware operators due to its privileged position in the network. We are treating this with high urgency and recommend immediate validation of your patch status and defensive telemetry.
Technical Analysis
Affected Products:
- SolarWinds Serv-U FTP Server (All recent versions prior to the latest patch)
- SolarWinds Serv-U MFT Server
Vulnerability Overview: While the specific CVE identifier remains under review in some disclosures, the flaw is classified as high-severity and allows remote attackers to trigger a Denial of Service (DoS) condition, effectively crashing the server process. In certain contexts, memory corruption vulnerabilities leading to crashes can be further weaponized for Remote Code Execution (RCE), though the current wave of exploitation is focused on availability disruption.
Attack Chain:
- Reconnaissance: Threat actors scan for TCP port 21 (FTP), 22 (SSH), or HTTP management ports (typically 80/443) associated with Serv-U.
- Exploitation: A malicious payload is sent to the Serv-U server process, triggering a memory corruption error.
- Impact: The Serv-U service (
Serv-U.exe) terminates, disrupting file transfer operations and potentially damaging ongoing data transactions.
Exploitation Status:
- Confirmed Active Exploitation: Yes. CISA has observed this flaw being used in the wild to crash servers.
- CISA KEV: This vulnerability is expected to be added to the Known Exploited Vulnerabilities (KEV) catalog shortly given the active exploitation status.
Detection & Response
To defend against this threat, SOC teams must monitor for abnormal process termination of the Serv-U service and any unexpected child process spawning, which may indicate an attempt to pivot from a crash to an RCE exploit.
SIGMA Rules
---
title: Potential SolarWinds Serv-U Exploitation - Child Process
id: 88d4f1c2-3a4b-4d5e-8f9a-1b2c3d4e5f6a
status: experimental
description: Detects Serv-U spawning suspicious child processes, often a sign of successful RCE or exploitation attempts.
references:
- https://www.cisa.gov/
author: Security Arsenal
date: 2026/05/21
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\Serv-U.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative scripts invoked by Serv-U (rare)
level: high
---
title: SolarWinds Serv-U Service Crash Detection
id: 99e5g2h3-4b5c-6d7e-9f0a-2c3d4e5f6g7h
status: experimental
description: Detects unexpected termination of the Serv-U process, indicative of a DoS exploit or crash.
references:
- https://www.cisa.gov/
author: Security Arsenal
date: 2026/05/21
tags:
- attack.impact
- attack.t1499
logsource:
category: process_termination
product: windows
detection:
selection:
Image|endswith:
- '\Serv-U.exe'
filter:
ExitCode: 0
condition: selection and not filter
falsepositives:
- Rare legitimate service restarts
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for Serv-U Process Terminations (Non-Zero Exit Code)
DeviceProcessEvents
| where ActionType in ("ProcessTerminated", "ProcessStop")
| where FileName =~ "Serv-U.exe"
| where isnotempty(ExitCode) and ExitCode != 0
| project Timestamp, DeviceName, AccountName, FileName, ExitCode, InitiatingProcessFileName
| order by Timestamp desc
;
// Hunt for Suspicious Child Processes of Serv-U
DeviceProcessEvents
| where InitiatingProcessFileName =~ "Serv-U.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, FileName, CommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
-- Hunt for Serv-U Process Abnormalities and Crashes
SELECT Pid, Name, CommandLine, Exe, Username, StartTime, EndTime
FROM pslist()
WHERE Name =~ 'Serv-U'
AND EndTime > StartTime
AND ExitCode != 0
;
-- Hunt for suspicious child processes spawned by Serv-U
SELECT Parent.Pid AS ParentPid, Parent.Name AS ParentName, Child.Pid, Child.Name, Child.CommandLine
FROM pslist() AS Parent
JOIN pslist() ON Parent.Pid = Child.Ppid
WHERE Parent.Name =~ 'Serv-U'
AND Child.Name IN ('cmd.exe', 'powershell.exe', 'wscript.exe', 'cscript.exe')
Remediation Script (PowerShell)
<#
.SYNOPSIS
Checks SolarWinds Serv-U version and verifies service status.
.DESCRIPTION
This script assists in identifying vulnerable Serv-U instances.
Note: Compare the detected FileVersion with the latest vendor advisory.
#>
$ServUService = Get-Service -Name "Serv-U" -ErrorAction SilentlyContinue
if ($ServUService) {
Write-Host "[+] Serv-U Service Found: Status - $($ServUService.Status)" -ForegroundColor Cyan
# Attempt to locate executable path from service config
$servicePath = (Get-WmiObject -Class Win32_Service -Filter "Name='Serv-U'").PathName
if ($servicePath) {
# Clean up path quotes and arguments
$servicePath = $servicePath -replace '"', '' -replace ' .*$', ''
if (Test-Path $servicePath) {
$fileInfo = Get-Item $servicePath
Write-Host "[+] Executable Path: $servicePath"
Write-Host "[+] File Version: $($fileInfo.VersionInfo.FileVersion)" -ForegroundColor Yellow
Write-Host "[!] ACTION REQUIRED: Please verify this version against the latest SolarWinds Security Advisory." -ForegroundColor Red
}
}
} else {
Write-Host "[-] Serv-U Service not found on this host." -ForegroundColor Gray
}
# Check for recent crash events in System Log (Last 24 hours)
Write-Host "\n[*] Checking for Service Crash Events (ID 7034)..."
$crashes = Get-EventLog -LogName System -Source "Service Control Manager" -After (Get-Date).AddHours(-24) | Where-Object { $_.EventID -eq 7034 -and $_.Message -like "*Serv-U*" }
if ($crashes) {
Write-Host "[!] ALERT: Serv-U service crashes detected in the last 24 hours!" -ForegroundColor Red
$crashes | Select-Object TimeGenerated, Message
} else {
Write-Host "[+] No recent crashes detected." -ForegroundColor Green
}
Remediation
1. Immediate Patching:
- Apply the latest security patches released by SolarWinds immediately. If you are running an unsupported version, upgrade to a supported branch first, then patch.
2. Verify Configuration:
- Ensure that the Serv-U server is not directly exposed to the public internet unless absolutely necessary. Use a VPN or Zero Trust Network Access (ZTNA) solution for administrative access.
3. Network Segmentation:
- Restrict inbound traffic to the Serv-U ports (FTP 21, SFTP 22, HTTP 80/443) to known IP ranges only.
4. Service Monitoring:
- Implement service availability monitoring to alert immediately if the Serv-U process terminates, as this is the primary indicator of the current exploitation campaign.
5. Vendor Advisory:
- Review the official SolarWinds advisory for the specific patch versions applicable to your deployment.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.