https://feed.craftedsignal.io/tags/solarwinds/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 26 Feb 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-02-solarwinds-servu-rce/Thu, 26 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-solarwinds-servu-rce/Multiple critical vulnerabilities in SolarWinds Serv-U MFT and FTP Server allow remote code execution, potentially leading to system compromise.On February 25, 2026, the Centre for Cybersecurity Belgium (CCB) issued an advisory regarding four critical vulnerabilities (CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541) in SolarWinds Serv-U MFT and FTP Server. These vulnerabilities, if exploited, can lead to remote code execution (RCE) on the affected systems. The Serv-U products are file transfer solutions widely used by organizations. While there’s no current indication of active exploitation as of the advisory’s release, the CCB anticipates potential exploitation attempts by threat actors, including ransomware groups, given their past interest in file transfer technologies. Exploitation on Windows deployments requires administrative privileges. The vulnerabilities affect SolarWinds Serv-U MFT and FTP Server.

Attack Chain

1. Attacker gains initial access to a Serv-U server, potentially through compromised credentials or other means.
2. Attacker exploits CVE-2025-40538 (broken access control) to create a system administrator user. This may involve sending a specially crafted request to the Serv-U server.
3. The attacker uses the newly created administrator account to gain administrative privileges.
4. Attacker exploits CVE-2025-40539 (type confusion) or CVE-2025-40540 (type confusion) to inject and execute arbitrary code. This could involve sending further malicious requests.
5. Alternatively, the attacker exploits CVE-2025-40541 (Insecure Direct Object Reference) to execute native code.
6. The attacker executes arbitrary commands on the server with root privileges.
7. The attacker establishes persistence via scheduled tasks or other mechanisms.
8. The attacker moves laterally within the network, exfiltrates sensitive data, deploys ransomware, or performs other malicious activities.

Impact

Successful exploitation of these vulnerabilities allows attackers to execute arbitrary code with root privileges on the affected SolarWinds Serv-U servers. This could lead to full system compromise, data theft, ransomware deployment, and disruption of file transfer services. The scope could affect organizations relying on Serv-U for critical file transfers. The CCB advisory highlights potential targeting by ransomware groups who have shown past interest in file transfer technologies.

Recommendation

• Immediately patch SolarWinds Serv-U MFT and FTP Server to version 15.5.4 or later to remediate CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, and CVE-2025-40541 (SolarWinds advisories).
• Enable and review Sysmon process creation logs for suspicious processes spawned by Serv-U processes to detect potential exploitation attempts.
• Implement network monitoring to detect unusual traffic originating from Serv-U servers, which might indicate command and control activity after successful exploitation.

]]>criticaladvisorysolarwindsserv-urcevulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-solarwinds-child-process/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-solarwinds-child-process/Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.This detection rule identifies suspicious child processes initiated by SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, excluding known legitimate operations. Adversaries may exploit the trusted SolarWinds processes to execute unauthorized programs with elevated privileges, bypassing security controls. The rule focuses on Windows systems and is designed to detect activity indicative of post-compromise actions following a supply chain attack. This detection is crucial for organizations that utilize SolarWinds software, as malicious actors could leverage compromised SolarWinds installations to gain unauthorized access and execute arbitrary code within the network.

Attack Chain

1. Initial compromise of the SolarWinds software supply chain (T1195.002).
2. Malicious code is injected into SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
3. The compromised SolarWinds process spawns a suspicious child process.
4. The child process executes a malicious command or binary, attempting to evade detection.
5. The child process leverages Native APIs (T1106) to perform privileged actions.
6. Lateral movement or data exfiltration may occur from the compromised host.

Impact

A successful attack can lead to the execution of arbitrary code on systems running SolarWinds software. This can result in data theft, system compromise, and further propagation of the attack throughout the network. Organizations in various sectors utilizing SolarWinds products are potentially at risk. The impact may include loss of sensitive data, disruption of critical services, and reputational damage.

Recommendation

• Deploy the Sigma rule Suspicious SolarWinds Child Process - CommandLine to detect potentially malicious child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
• Deploy the Sigma rule Suspicious SolarWinds Child Process - Executable to detect execution of unusual executables as child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
• Enable process creation logging with command line details on Windows systems to ensure the Sigma rules have sufficient data.
• Review and tune the rules for false positives based on legitimate SolarWinds child processes in your environment, updating the exclusion lists in the rules accordingly, referencing the “false_positives” section in the rule description.

]]>mediumadvisorysupply-chainexecutionsolarwindshttps://feed.craftedsignal.io/briefs/2024-01-solarwinds-service-disable/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-solarwinds-service-disable/A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.This threat brief focuses on the detection of SolarWinds processes attempting to disable services by modifying their registry start type. This activity is associated with defense evasion tactics, potentially linked to initial access via supply chain compromise, similar to the SUNBURST campaign. The behavior involves SolarWinds binaries, such as SolarWinds.BusinessLayerHost*.exe and NetFlowService*.exe, manipulating registry entries related to service start configurations. This technique can be used to impair or disable security tools and services, allowing attackers to operate more freely within a compromised environment.

Attack Chain

1. Initial compromise of the SolarWinds Orion platform, potentially through a supply chain attack.
2. Deployment of a malicious module or payload within the SolarWinds environment.
3. Execution of a SolarWinds process, such as SolarWinds.BusinessLayerHost*.exe.
4. The SolarWinds process modifies the registry to change the start type of a service.
5. The registry modification targets the HKLM\SYSTEM\ControlSet*\Services\*\Start path.
6. The Start value is set to “4” or “0x00000004”, which disables the targeted service.
7. Disabling critical security services allows the attacker to evade detection and further compromise the system.
8. Attacker achieves persistence and performs lateral movement, exfiltrating data or deploying ransomware.

Impact

Successful exploitation can lead to the disabling of critical security services, such as antivirus, endpoint detection and response (EDR) agents, or other monitoring tools. This can significantly reduce the visibility of malicious activity within the network, potentially leading to data breaches, ransomware deployment, or other severe security incidents. The SolarWinds supply chain compromise affected numerous organizations globally, underscoring the potential impact of this type of attack.

Recommendation

• Deploy the Sigma rule SolarWinds Process Disabling Services via Registry to your SIEM to detect registry modifications by SolarWinds processes aimed at disabling services.
• Enable Sysmon registry event logging to provide the necessary data for the Sigma rule to function effectively.
• Review and harden access controls for SolarWinds processes to restrict their ability to modify critical system settings.
• Investigate any alerts generated by the Sigma rule, focusing on the affected service and the timeline of events surrounding the registry modification.
• Utilize threat intelligence platforms to stay informed about known SolarWinds-related attack patterns and indicators of compromise (IOCs).
• Monitor endpoints for unusual behavior by SolarWinds processes, including network connections, file modifications, and process creations.

]]>mediumadvisorysolarwindsdefense-evasionregistry-modificationsupply-chain