CVE-2021-35252: 
Serv-U Managed File Transfer Server vulnerability analysis and mitigation

Common encryption key appears to be used across all deployed instances of Serv-U FTP Server prior to version 15.3.2. The vulnerability (CVE-2021-35252) was discovered in 2021 and affects SolarWinds Serv-U FTP Server versions 15.3.0 and earlier. Due to this vulnerability, encrypted values that are exposed to an attacker can be simply recovered to plaintext (MITRE CVE, SolarWinds Advisory).

The vulnerability stems from the use of a common encryption key across all deployed instances of Serv-U FTP Server, which represents an improper authentication mechanism. The CVSS v3.1 base score is 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and high confidentiality impact (NVD).

The primary impact of this vulnerability is the potential exposure of encrypted values to attackers, who can then recover the plaintext data due to the shared encryption key. This poses a significant confidentiality risk as it could lead to unauthorized access to sensitive information (SolarWinds Advisory).

SolarWinds has released version 15.3.2 of Serv-U FTP Server to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk (SolarWinds Advisory).