SolarWinds Serv-U Vulnerability Under Active Attack; Patch Available

A recently patched high-severity flaw, tracked as CVE-2024-28995, impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.

Context 

A recently patched high-severity flaw, tracked as CVE-2024-28995, impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild. A patch is available for affected SolarWinds customers.

Community Impact 

Successful exploitation of this vulnerability could be a potential steppingstone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, in a technique called chaining. This can lead to a more widespread compromise, potentially impacting other systems and applications.  RH-ISAC advises retail and hospitality members who utilize SolarWinds products to update and soon available and technically feasible. The latest version of the SolarWinds Serv-U product that is unaffected by CVE-2024-28995 can be accessed here.

Background 

The vulnerability, with a CVSS score of 8.6, concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.

CVE-2024-28995 affects all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) which was released by SolarWinds earlier this month.

High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims, cybersecurity firm Rapid7 stated. The firm described the vulnerability as relatively trivial to exploit and allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file.

Threat actors have already begun to conduct opportunistic attacks weaponizing the flaw against its honeypot servers to access sensitive files, for example /etc/passwd, with attempts recorded from China.

A public proof of concept for CVE-2024-28995 has been released via GitHub, and can be weaponized by additional attackers.

More Recent Blog Posts