{"id":42657,"date":"2021-09-02T16:00:56","date_gmt":"2021-09-02T16:00:56","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=96957"},"modified":"2021-09-02T16:00:56","modified_gmt":"2021-09-02T16:00:56","slug":"a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/","title":{"rendered":"A deep-dive into the SolarWinds Serv-U SSH vulnerability"},"content":{"rendered":"

Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributed the attack<\/a> with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures. In this blog, we share technical information about the vulnerability, tracked as CVE-2021-35211<\/a>, that we shared with SolarWinds, who promptly released security updates<\/a> to fix the vulnerability and mitigate the attacks.<\/p>\n

This analysis was conducted by the Microsoft Offensive Research & Security Engineering team, a focused group tasked with supporting teams like MSTIC with exploit development expertise. Our team\u2019s remit is to make computing safer. We do this by leveraging our knowledge of attacker techniques and processes to build and improve protections in Windows and Azure through reverse engineering, attack creation and replication, vulnerability research, and intelligence sharing.<\/p>\n

In early July, MSTIC provided our team with data that seemed to indicate exploit behavior against a newly-discovered vulnerability in the SolarWinds Serv-U FTP server\u2019s SSH component. Although the intel contained useful indicators, it lacked the exploit in question, so our team set out to reconstruct the exploit, which required to first find and understand the new vulnerability in the Serv-U SSH-related code.<\/p>\n

As we knew this was a remote, pre-auth vulnerability, we quickly constructed a fuzzer focused on the pre-auth portions of the SSH handshake and noticed that the service captured and passed all access violations without terminating the process. It immediately became evident that the Serv-U process would make stealthy, reliable exploitation attempts simple to accomplish. We concluded that the exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages. Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation.<\/p>\n

We shared these findings, as well as the fuzzer we created, with SolarWinds through Coordinated Vulnerability Disclosure<\/a> (CVD) via Microsoft Security Vulnerability Research<\/a> (MSVR), and worked with them to fix the issue. This is an example of intelligence sharing and industry collaboration that result in comprehensive protection for the broader community through detection of attacks through products and fixing vulnerabilities through security updates.<\/p>\n

Vulnerability in Serv-U\u2019s implementation of SSH<\/h3>\n

Secure Shell (SSH) is a widely adopted protocol for secure communications over an untrusted network. The protocol behavior is defined in multiple requests for comment (RFCs), and existing implementations are available in open-source code; we primarily used RFC 4253<\/a>, RFC 4252<\/a>, and libssh<\/a> as references for this analysis.<\/p>\n

The implementation of SSH in Serv-U was found by enumerating references to the \u201cSSH-\u201c string, which must be present in the first data sent to the server. The most likely instance of such code was the following:<\/p>\n

\"Screenshot<\/p>\n

Figure 1. Promising instance of \u201cSSH-\u201d string<\/em><\/p>\n

Putting a breakpoint on the above code and attempting to connect to Serv-U with an SSH client confirmed our hypothesis and resulted in the breakpoint being hit with the following call stack:<\/p>\n

\"Screenshot<\/p>\n

Figure 2. The call stack resulting from a break point set on code in Figure 1.<\/em><\/p>\n

At this point, we noticed that Serv-U.dll<\/em> and RhinoNET.dll<\/em> both have ASLR support disabled, making them prime locations for ROP gadgets, as any addresses within them will be constant across any server instances running on the internet for a given Serv-U version.<\/p>\n

After reversing related code in the RhinoNET<\/em> and Serv-U<\/em> DLLs, we could track SSH messages\u2019 paths as Serv-U processes them. To handle an incoming SSH connection, Serv-U.dll<\/em> creates a CSUSSHSocket<\/em> object, which is derived from the RhinoNET!CRhinoSocket class<\/em>. The CSUSSHSocket<\/em> object lifetime is the length of the TCP connection\u2014it persists across possibly many individual TCP packets. The underlying CRhinoSocket<\/em> provides a buffered interface to the socket such that a single TCP packet may contain any number of bytes. This implies a single packet may include any number of SSH messages (provided they fit in the maximum buffer size), as well as partial SSH messages. The CSUSSHSocket::ProcessRecvBuffer<\/em> function is then responsible for parsing the SSH messages from the buffered socket data.<\/p>\n

CSUSSHSocket::ProcessRecvBuffer<\/em> begins by checking for the SSH version with ParseBanner<\/em>. If ParseBanner<\/em> successfully parses the SSH version from the banner, ProcessRecvBuffer<\/em> then loops over ParseMessage<\/em>, which obtains a pointer to the current message in the socket data and extracts the msg_id<\/em> and length<\/em> fields from the message (more on the ParseMessage<\/em> function later).<\/p>\n

\"Screenshot<\/p>\n

Figure 3. Selection of code from CSUSSHSocket::ProcessRecvBuffer processing loop<\/em><\/p>\n

The socket data being iterated over is conceptually an array of the pseudo-C structure ssh_msg_t<\/em>, as seen below. The message data is contained within the payload buffer, the first byte of which is considered the msg_id<\/em>:<\/p>\n

\"Screenshot<\/p>\n

ProcessRecvBuffer<\/em> then dispatches handling of the message based on the msg_id<\/em>. Some messages are handled directly from the message parsing loop, while others get passed to ssh_pkt_others<\/em>, which posts the message to a queue for another thread to pick up and process.<\/p>\n

\"Screenshot<\/p>\n

Figure 4.Pre-auth reachable handlers in CSUSSHSocket::ProcessRecvBuffer<\/em><\/p>\n

If the msg_id<\/em> is deferred to the alternate thread, CSSHSession::OnSSHMessage <\/em>processes it. This function mainly deals with messages that need to interact with Serv-U managed user profile data (e.g., authentication against per-user credentials) and UI updates. CSSHSession::OnSSHMessage<\/em> turned out to be uninteresting in terms of vulnerability hunting as most message handlers within it require successful user authentication (initial telemetry indicated this was a pre-authentication vulnerability), and no vulnerabilities were found in the remaining handlers.<\/p>\n

When initially running fuzzers against Serv-U with a debugger attached, it was evident that the application was catching exceptions which would normally crash a process (such as access violations), logging the error, modifying state just enough to avoid termination of the process, and then continuing as if there had been no problem. This behavior improves uptime of the file server application but also results in possible memory corruption lingering around in the process and building up over time. As an attacker, this grants opportunities like brute-forcing addresses of code or data with dynamic addresses.<\/p>\n

This squashing of access violations assists with exploitation, but for fuzzing, we filtered out \u201cuninteresting\u201d exceptions generated by read\/write access violations and let the fuzzer run until hitting a fault wherein RIP had been corrupted. This quickly resulted in the following crashing context:<\/p>\n

\"Screenshot<\/p>\n

Figure 5. WinDbg showing crashing context from fuzzer-generated SSH messages<\/em><\/p>\n

As seen above, CRYPTO_ctr128_encrypt<\/em> in libeay32.dll<\/em> (part of OpenSSL) attempted to call an invalid address. The version of OpenSSL used is 1.0.2u, so we obtained the sources<\/a> to peruse. The following shows the relevant OpenSSL function:<\/p>\n

\"Screenshot<\/p>\n

Meanwhile, the following shows the structure that is passed:<\/p>\n

\"Screenshot<\/p>\n

The crashing function was reached from the OpenSSL API boundary via the following path: EVP_EncryptUpdate<\/em> -> evp_EncryptDecryptUpdate<\/em> -> aes_ctr_cipher<\/em> -> CRYPTO_ctr128_encrypt<\/em>.<\/p>\n

Looking further up the call stack, it is evident that Serv-U calls EVP_EncryptUpdate<\/em> from CSUSSHSocket::ParseMessage<\/em>, as seen below:<\/p>\n

\"Screenshot<\/p>\n

Figure 6. Location of call into OpenSSL, wherein attacker-controlled function pointer may be invoked<\/em><\/p>\n

At this point, we manually minimized the TCP packet buffer produced by the fuzzer until only the SSH messages required to trigger the crash remained. In notation like that used in the RFCs, the required SSH messages were:<\/p>\n

\"Screenshot<\/p>\n

Note that the following description references \u201cencrypt\u201d functions being called when the crashing code path is clearly attempting to decrypt a buffer. This is not an error: Serv-U uses the encrypt OpenSSL API and, while not optimal for code clarity, it is behaviorally correct since Advanced Encryption Standard (AES) is operating in counter (CTR) mode.<\/p>\n

After taking a Time Travel Debugging trace and debugging through the message processing sequence, we found that the root cause of the issue was that Serv-U initially creates the OpenSSL AES128-CTR context with code like the following:<\/p>\n

\"Screenshot<\/p>\n

Calling EVP_EncryptInit_ex<\/em><\/a> with NULL key and\/or IV is valid, and Serv-U does so in this case because the context is created while handling the KEXINIT message, which is before key material is ready. However, AES key expansion is not performed until the key is set, and the data in the ctx->cipher_data<\/em> structure remains uninitialized until the key expansion is performed. We can (correctly) surmise that our sequence of messages to hit the crash has caused enc_algo_client_to_server->decrypt<\/em> to be called before the key material is initialized. The Serv-U KEXINIT handler creates objects for all parameters given in the message. However, the corresponding objects currently active for the connection are not replaced with the newly created ones until the following NEWKEYS message is processed. The client always completes the key exchange process In a normal SSH connection before issuing a NEWKEYS message. Serv-U processed NEWKEYS (thus setting the m_bCipherActive<\/em> flag and replacing the cipher objects) no matter the connection state or key exchange. From this, we can see that the last message type in our fuzzed sequence does not matter\u2014there only needs to be some data remaining to be processed in the socket buffer to trigger decryption after the partially initialized AES CTR cipher object has been activated.<\/p>\n

Exploitation<\/h3>\n

As the vulnerability allows loading RIP from uninitialized memory and as there are some modules without ASLR in the process, exploitation is not so complicated: we can find a way to control the content of the uninitialized cipher_data <\/em>structure, point the cipher_data->block<\/em> function pointer at some initial ROP gadget, and start a ROP chain. Because of the exception handler causing any fault to be ignored, we do not necessarily need to attain reliable code execution upon the first packet. It is possible to retry exploitation until code execution is successful, however this will leave traces in log files and as such it may be worthwhile to invest more effort into a different technique which would avoid logging.The first step is to find the size of the cipher_data<\/em> allocation, as the most direct avenue to prefill the buffer is to spray allocations of the target allocation size and free them before attempting to reclaim the address as cipher_data. ctx->cipher_data<\/em> is allocated and assigned in EVP_CipherInit_ex with the following line:<\/p>\n

\"Screenshot<\/p>\n

With a debugger, we can see the ctx_size<\/em> in our case is 0x108<\/em>, and that this allocator winds up calling ucrtbase!_malloc_base<\/em>. From previous reversing, we know that both CRhinoSocket<\/em> and CSUSSHSocket<\/em> levels of packet parsing call operator new[]<\/em> to allocate space to hold the packets we send. Luckily, that also winds up in ucrtbase!_malloc_base<\/em>, using the same heap. Therefore, prefilling the target allocation is as simple as sending a properly sized TCP packet or SSH message and then closing the connection to ensure it is freed. Using this path to spray does not trigger other allocations of the same size, so we don\u2019t have to worry about polluting the heap.<\/p>\n

Another important value to pull out of the debugger\/disassembly is offsetof(EVP_AES_KEY, block)<\/em>, as that offset in the sprayed data needs to be set to the initial ROP gadget. This value is 0xf8<\/em>. Conveniently, most of the rest of the EVP_AES_KEY<\/em> structure can be used for the ROP chain contents itself, and a pointer to the base of this structure exists in registers rbx<\/em>, r8<\/em>, and r10<\/em> at the time of the controlled function pointer call.<\/p>\n

As a simple proof of concept, consider the following python code:<\/p>\n

\"Screenshot<\/p>\n

The above results in the following context in the debugger:<\/p>\n

\"Screenshot<\/p>\n

Figure 7. Machine context showing rcx, rdx, and rip controlled by attacker<\/em><\/p>\n

Conclusion: Responsible disclosure and industry collaboration improves security for all<\/h3>\n

Our research shows that the Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration. An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported.<\/p>\n

We shared our findings to SolarWinds through Coordinated Vulnerability Disclosure<\/a> (CVD). We also shared the fuzzer we created. SolarWinds released an advisory and security patch<\/a>, which we strongly encourage customers to apply. If you are not sure if your system is affected, open a support case in the SolarWinds Customer Portal<\/a>.<\/p>\n

In addition to sharing vulnerability details and fuzzing tooling with SolarWinds, we also recommended enabling ASLR compatibility<\/a> for all binaries loaded in the Serv-U process. Enabling ASLR is a simple compile-time flag which is enabled by default and has been available since Windows Vista. ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U.<\/p>\n

We would like to thank SolarWinds for their prompt response. This case further underscores the need for constant collaboration among software vendors, security researchers, and other players to ensure the safety and security of users\u2019 computing experience.<\/p>\n

Microsoft Offensive Research & Security Engineering team<\/em><\/strong><\/p>\n

READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

We’re sharing technical information about the vulnerability tracked as CVE-2021-35211, which was used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks.
\nThe post A deep-dive into the SolarWinds Serv-U SSH vulnerability appeared first on Microsoft Security Blog. READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":42658,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[347,7221,9451],"class_list":["post-42657","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-cybersecurity","tag-microsoft-security-intelligence","tag-solarwinds"],"yoast_head":"\nA deep-dive into the SolarWinds Serv-U SSH vulnerability 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A deep-dive into the SolarWinds Serv-U SSH vulnerability 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-02T16:00:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png\" \/>\n\t<meta property=\"og:image:width\" content=\"799\" \/>\n\t<meta property=\"og:image:height\" content=\"102\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"A deep-dive into the SolarWinds Serv-U SSH vulnerability\",\"datePublished\":\"2021-09-02T16:00:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/\"},\"wordCount\":2262,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png\",\"keywords\":[\"Cybersecurity\",\"Microsoft security intelligence\",\"SolarWinds\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/\",\"name\":\"A deep-dive into the SolarWinds Serv-U SSH vulnerability 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png\",\"datePublished\":\"2021-09-02T16:00:56+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png\",\"width\":799,\"height\":102},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/cybersecurity\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"A deep-dive into the SolarWinds Serv-U SSH vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A deep-dive into the SolarWinds Serv-U SSH vulnerability 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/","og_locale":"en_US","og_type":"article","og_title":"A deep-dive into the SolarWinds Serv-U SSH vulnerability 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-09-02T16:00:56+00:00","og_image":[{"width":799,"height":102,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"A deep-dive into the SolarWinds Serv-U SSH vulnerability","datePublished":"2021-09-02T16:00:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/"},"wordCount":2262,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png","keywords":["Cybersecurity","Microsoft security intelligence","SolarWinds"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/","url":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/","name":"A deep-dive into the SolarWinds Serv-U SSH vulnerability 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png","datePublished":"2021-09-02T16:00:56+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability.png","width":799,"height":102},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.threatshub.org\/blog\/tag\/cybersecurity\/"},{"@type":"ListItem","position":3,"name":"A deep-dive into the SolarWinds Serv-U SSH vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42657"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42657\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42658"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}