A buffer overflow in the Serv-U Web Client allows remote attackers to execute arbitrary code when overly long session cookies are sent to the Web Client.
Upgrade to a Serv-U version higher than 220.127.116.11 when it becomes available. Until an update is available, disable the Web Client Service and only use the Serv-U FTP/SFTP components.
Exploit works on Rhino Software Serv-U 18.104.22.168. Windows patch KB933729 (rpcrt4.dll version 5.2.3790.4115) must be installed. The exploit may need to be executed multiple times to trigger the vulnerability.