Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U - Knowledgebase Articles > Vulnerabilities for Serv-U 10 and later versions

Vulnerabilities for Serv-U 10 and later versions

Table of contents

Updated February 24, 2017


This article provides a list of vulnerabilities for Serv-U v10 and later versions.


Serv-U v10 and later


Vulnerabilities v10 or later (since May 17, 2010):

Our security team recommends that you run at least the minimum version listed below. At least one of the vulnerabilities listed below was present since Serv-U 1.0; do not put your company at risk by running an unpatched software.

  • Fixed in OpenSSL libraries updated to 0.9.8zb. Additionally, SSLv2 and SSLv3 are disabled by default.
  • Fixed in Several potential security issues. See the relevant release notes for details.
  • Fixed in DOS vulnerability which could render Serv-U unresponsive.
  • Fixed in Security issue allowing for possible SSL DOS attacks.
  • Fixed in DOS vulnerability where clients could saturate Serv-U with SSL renegotiation requests that made Serv-U unresponsive.
  • Fixed in 12.1: DOS due to FTPS and HTTPS SSL/TLS session negotiation vulnerability. (Certain connections that failed to complete SSL negotiation could cause other connections to fail.) Also, DOS due to crash caused by certain ways of terminating web administration sessions.
  • Fixed in 11.3: DOS due to memory leak when certain HTTP/S and SFTP usernames attempted.
  • Fixed in 11.2: Escalation of privilege (wrong set of folder permissions) due to incorrect parsing of folder permission rules on remote shares.
  • Fixed in Escalation of privilege (chroot jailbreak) due to incorrect parsing of folder commands. (Secunia SA47021; discovered by kingcope; present since v1.0.)
  • Fixed in Cross-site scripting (XSS) in Web Client.
  • Fixed in Unauthorized use due to improper password check in SFTP interface.
  • Fixed in Escalation of privilege (grant self permission to virtual folder). Also DOS due to crash caused by improper Web Client URL parsing.


Last modified