What is more interesting is that a ROP gadget exploit was used to attack the server.
OpenBSD goes to great lengths to defeat ROP gadget attacks. The compiler is modified to exclude certain machine instructions at the ends of functions, and the ASLR runs so deep that the kernel and C libraries are relinked at every boot to randomize locations in memory.
"Tracked as CVE-2021-35211, the Serv-U vuln allowed an attacker to achieve remote code execution through what Microsoft described as a Return Oriented Programming attack, as we reported at the time."
For SFTP services, OpenBSD is in the top tier for security.