There is an ongoing active attack targeting the SolarWinds Serv-U vulnerability – it is critical to apply the patch without delay.
A recently patched critical vulnerability affecting SolarWinds Serv-U file transfer software is actively being exploited by malicious actors. Tracked as CVE-2024-28995 with a CVSS score of 8.6, this flaw allows for directory traversal, enabling attackers to access sensitive files on the host machine.
All versions of Serv-U software up to and including 15.4.2 HF 1 are affected. SolarWinds released a fix in version 15.4.2 HF 2 (15.4.2.157) earlier this month.
Products vulnerable to CVE-2024-28995 include Serv-U FTP Server 15.4, Serv-U Gateway 15.4, Serv-U MFT Server 15.4, and Serv-U File Server 15.4. The vulnerability was discovered and reported by security researcher Hussein Daher of Web Immunify. Since its disclosure, technical details and a proof-of-concept exploit have become publicly available.
According to cybersecurity firm Rapid7, the vulnerability is easy to exploit and allows unauthenticated external attackers to read arbitrary files on disk, including sensitive binary files, provided they know the file path and it’s accessible.
“This high-severity information disclosure issue like CVE-2024-28995 can be leveraged in quick, smash-and-grab attacks, where adversaries aim to exfiltrate data rapidly from compromised file transfer solutions,” Rapid7 stated.
File transfer products have increasingly become targets for cyber adversaries, including ransomware groups, as noted by threat intelligence firm GreyNoise, which reported exploit attempts originating from China targeting sensitive files such as /etc/passwd on honeypot servers.
Given past incidents with Serv-U software being exploited, users are strongly advised to apply the latest updates promptly to mitigate potential risks.
“The availability of publicly accessible PoCs means that malicious actors face minimal barriers to exploit this vulnerability,” commented Naomi Buckwalter, director of product security at Contrast Security. “Successful exploitation could provide attackers with sensitive information like credentials and system files, enabling further attacks through ‘chaining’ techniques, potentially compromising additional systems and applications.”