Submit a ticketCall us

WebinarWebinar: A checklist for planning your Network Performance Monitor (NPM) upgrade

Are you ready for your next upgrade? To help you plan smoothly, join this webcast to learn more about, SolarWinds® Orion® Installer, SolarWinds Upgrade Advisor, Upgrades Guides, Training Videos, and other resources available. We’ll share key upgrade planning considerations, lessons learned from customers with practical advice from SolarWinds Product Experts. We’ll also give practical tips to identify the estimated time needed and resources, how to prepare the business and IT staff for changes, ways to plan for required system changes, and more.

Register now.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U - Knowledgebase Articles > Vulnerabilities for Serv-U 10 and later versions

Vulnerabilities for Serv-U 10 and later versions

Table of contents

Updated February 24, 2017


This article provides a list of vulnerabilities for Serv-U v10 and later versions.


Serv-U v10 and later


Vulnerabilities v10 or later (since May 17, 2010):

Our security team recommends that you run at least the minimum version listed below. At least one of the vulnerabilities listed below was present since Serv-U 1.0; do not put your company at risk by running an unpatched software.

  • Fixed in OpenSSL libraries updated to 0.9.8zb. Additionally, SSLv2 and SSLv3 are disabled by default.
  • Fixed in Several potential security issues. See the relevant release notes for details.
  • Fixed in DOS vulnerability which could render Serv-U unresponsive.
  • Fixed in Security issue allowing for possible SSL DOS attacks.
  • Fixed in DOS vulnerability where clients could saturate Serv-U with SSL renegotiation requests that made Serv-U unresponsive.
  • Fixed in 12.1: DOS due to FTPS and HTTPS SSL/TLS session negotiation vulnerability. (Certain connections that failed to complete SSL negotiation could cause other connections to fail.) Also, DOS due to crash caused by certain ways of terminating web administration sessions.
  • Fixed in 11.3: DOS due to memory leak when certain HTTP/S and SFTP usernames attempted.
  • Fixed in 11.2: Escalation of privilege (wrong set of folder permissions) due to incorrect parsing of folder permission rules on remote shares.
  • Fixed in Escalation of privilege (chroot jailbreak) due to incorrect parsing of folder commands. (Secunia SA47021; discovered by kingcope; present since v1.0.)
  • Fixed in Cross-site scripting (XSS) in Web Client.
  • Fixed in Unauthorized use due to improper password check in SFTP interface.
  • Fixed in Escalation of privilege (grant self permission to virtual folder). Also DOS due to crash caused by improper Web Client URL parsing.


Last modified