Beleaguered SolarWinds hit with fresh vulnerabilities
Three severe flaws across Orion and Serv-U FTP can be exploited to launch remote code execution attacks and steal data


Researchers have discovered three new vulnerabilities embedded in SolarWinds products, including two in the Orion Platform that was at the heart of one of the largest-scale hacks in modern history.
They concern two flaws in the Orion Platform, which hackers previously exploited in last year’s infamous supply chain attack, as well as one bug in Serv-U FTP for Windows, a file transfer protocol (FTP) server and client software.
Although these flaws haven’t been exploited in the recent SolarWinds attacks, nor in any attacks in the wild so far, researchers with Trustwave SpiderLabs have deemed them to be severe bugs that demand urgent patching.
“The patches for the three severe vulnerabilities that Trustwave discovered were issued in January,” said senior security research manager with Trustwave SpiderLabs, Karl Sigler.
“This latest development re-emphasizes the need for thorough security testing for complex software platforms and shows what could have happened if Trustwave had not discovered the three identified severe vulnerabilities before the bad actors did.”
The first Orion vulnerability, tracked as CVE-2021-25275, can be exploited by hackers to either steal information from a corporate network or add admin-level users to be used within the security platform.
The flaw centres on the insecure manner by which credentials are stored - and could allow any local users to take complete control over the SolarWinds Orion database, regardless of privilege level.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The second flaw, tagged CVE-2021-25274, centres on the improper use of Microsoft Messaging Queue (MSQ) and is considered the most severe.
This can allow remote unprivileged users to execute arbitrary code as if they had the highest privileges.
Finally, CVE-2021-25276 is a vulnerability in Serv-U FTP for Windows that can allow any user, regardless of privilege, to create a file that can define a new Serv-U FTP admin account with access to the C:\ drive.
Successful exploitation could lead to the attacker using the newly-created account to log in through FTP and read or replace any file on the C:\ drive.
SolarWinds has issued fixes for these vulnerabilities with ‘Orion Platform 2020.2.4’ and ‘ServU-FTP 15.2.2 Hotfix 1 Patch’. Trustwave has purposely excluded proof of concept (PoC) details from their blog post to give SolarWinds users longer to patch.
While there’s currently no evidence these flaws have been exploited, their disclosure is certain to raise alarm bells among SolarWinds customers who are still reeling from the devastating effects of the 2020 hack.
In what was considered one of the scariest horror stories of last year, it was revealed in December that hackers had infiltrated a litany of organisations by exploiting flaws in the SolarWinds Orion Platform.
An ongoing investigation has since found that hackers may have had access to the firm’s internal systems since September 2019, well over a year before SolarWinds confirmed it had fallen victim to the attack.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s why
News Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
By Bobby Hellard
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
By Emma Woollacott
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
By Solomon Klappholz
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to success
News Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
By Emma Woollacott
-
Cisco claims new smart switches provide next-level perimeter defense
News Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
By Solomon Klappholz
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilities
News Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
By Emma Woollacott