A buffer overflow in the Serv-U Web Client allows remote attackers to execute arbitrary code when overly long session cookies are sent to the Web Client.
Upgrade to a Serv-U version higher than 22.214.171.124 when it becomes available. Until an update is available, disable the Web Client Service and only use the Serv-U FTP/SFTP components.
Exploit works on Rhino Software Serv-U 126.96.36.199. Windows patch KB933729 (rpcrt4.dll version 5.2.3790.4115) must be installed. The exploit may need to be executed multiple times to trigger the vulnerability.