CVE-2018-19999

Name of the Vulnerable Software and Affected Versions SolarWinds Serv-U FTP Server version 15.1.6.25

Description The local management interface in SolarWinds Serv-U FTP Server has incorrect access controls, allowing local users to bypass authentication and execute code in the context of the Windows SYSTEM account, leading to privilege escalation. An attacker must have local access to the host running Serv-U and a Serv-U administrator must have an active management console session to exploit this issue.

Recommendations For SolarWinds Serv-U FTP Server version 15.1.6.25, consider restricting local access to the host and ensuring that Serv-U administrator management console sessions are properly secured and monitored until a fix is available. As a temporary workaround, limit the use of the local management interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.