SolarWinds fixes severe Serv-U vulnerability (CVE-2024-28995)
SolarWinds has fixed a high-severity vulnerability (CVE-2024-28995) affecting its Serv-U managed file transfer (MFT) server solution, which could be exploited by unauthenticated attackers to access sensitive files on the host machine.
cve-2024-28995="" solarwinds-serv-u-path-traversal-vulnerability="" "="" title="SolarWinds Serv-U Path Traversal Vulnerability">CVE-2024-28995" title="SolarWinds" width="80%">
About CVE-2024-28995
Serv-U MFT Server is a widely used enterprise solution that provides secure file transfer and file sharing hosted on Windows and Linux machines.
Discovered and reported by Hussein Daher, CVE-2024-28995 is a directory transversal (aka path traversal) vulnerability that affects SolarWinds Serv-U 15.4.2 HF 1 and previous versions.
Directory traversal vulnerabilities allow attackers to access directories and files outside the server’s root directory.
The vulnerability’s CVSS base score indicates that it can be exploited remotely, through a low-complexity attack, and that no user interaction is required to leverage it.
SolarWinds fixed the flaw by releasing Serv-U 15.4.2 Hotfix 2, which is suitable for both Windows and Linux OSes (whether 32-bit or 64-bit), the company says. Admins are advised to update their Serv-U instances as soon as possible.
There is no mention of the bug being actively exploited, but attacker have been known to leverage Serv-U vulnerabilities (including zero-days).
UPDATE (June 14, 2024, 04:50 a.m. ET):
The vulnerability is “trivially exploitable”, according to Rapid7.
They managed to exploit the vulnerability on a Windows Server 2022 system running SolarWinds Serv-U File Server (64-bit) version 15.4.2.126, and on Serv-U File Server (64-bit) version 15.4.2.126 running on Linux, and have verified that Solarwind’s hotfix remediates the flaw.
UPDATE (June 19, 2024, 03:50 a.m. ET):
Ron Bowes, Lead Security Researcher at GreyNoise Labs, has detailed CVE-2024-28995 exploitation attempts against their honeypots.
Find out which cybersecurity threats organizations fear the most
Proton launches free, privacy-focused Google Docs alternative
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalSplit Viewstate in Use
InformationalLoosely Scoped Cookie
InformationalSec-Fetch-Mode Header Has an Invalid Value
MediumCRLF Injection
InformationalCSP: Header & Meta
InformationalSec-Fetch-Site Header is Missing
CWE-1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors
HighCWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CWE-1096 Singleton Class Instance Creation without Proper Locking or Synchronization
Free online web security scanner
