Submit a ticketCall us

ebook60.pngHow to be a Cisco® ASA ace

Our eBook, Thou Shalt Not Pass…I Think?! can help you overcome the challenges of monitoring and managing Cisco ASA firewalls. This eBook is a great read if you’ve been frustrated with monitoring firewalls, managing ACL configs, and troubleshooting VPN connections.

Get your free eBook.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Vulnerabilities for Serv-U 10 and later versions

Vulnerabilities for Serv-U 10 and later versions

Table of contents

Updated February 24, 2017


This article provides a list of vulnerabilities for Serv-U v10 and later versions.


Serv-U v10 and later


Vulnerabilities v10 or later (since May 17, 2010):

Our security team recommends that you run at least the minimum version listed below. At least one of the vulnerabilities listed below was present since Serv-U 1.0; do not put your company at risk by running an unpatched software.

  • Fixed in OpenSSL libraries updated to 0.9.8zb. Additionally, SSLv2 and SSLv3 are disabled by default.
  • Fixed in Several potential security issues. See the relevant release notes for details.
  • Fixed in DOS vulnerability which could render Serv-U unresponsive.
  • Fixed in Security issue allowing for possible SSL DOS attacks.
  • Fixed in DOS vulnerability where clients could saturate Serv-U with SSL renegotiation requests that made Serv-U unresponsive.
  • Fixed in 12.1: DOS due to FTPS and HTTPS SSL/TLS session negotiation vulnerability. (Certain connections that failed to complete SSL negotiation could cause other connections to fail.) Also, DOS due to crash caused by certain ways of terminating web administration sessions.
  • Fixed in 11.3: DOS due to memory leak when certain HTTP/S and SFTP usernames attempted.
  • Fixed in 11.2: Escalation of privilege (wrong set of folder permissions) due to incorrect parsing of folder permission rules on remote shares.
  • Fixed in Escalation of privilege (chroot jailbreak) due to incorrect parsing of folder commands. (Secunia SA47021; discovered by kingcope; present since v1.0.)
  • Fixed in Cross-site scripting (XSS) in Web Client.
  • Fixed in Unauthorized use due to improper password check in SFTP interface.
  • Fixed in Escalation of privilege (grant self permission to virtual folder). Also DOS due to crash caused by improper Web Client URL parsing.


Last modified