SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately
A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.
The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.
Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month.
The list of products susceptible to CVE-2024-28995 is below -
- Serv-U FTP Server 15.4
- Serv-U Gateway 15.4
- Serv-U MFT Server 15.4, and
- Serv-U File Server 15.4
Security researcher Hussein Daher of Web Immunify has been credited with discovering and reporting the flaw. Following the public disclosure, additional technical details and a proof-of-concept (PoC) exploit have since been made available.
Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit and that it allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file and it's not locked.
"High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims," it said.
"File transfer products have been targeted by a wide range of adversaries the past several years, including ransomware groups."
Indeed, according to threat intelligence firm GreyNoise, threat actors have already begun to conduct opportunistic attacks weaponizing the flaw against its honeypot servers to access sensitive files like /etc/passwd, with attempts also recorded from China.
With previous flaws in Serv-U software exploited by threat actors, it's imperative that users apply the updates as soon as possible to mitigate potential threats.
"The fact that attackers are using publicly available PoCs means the barrier to entry for malicious actors is incredibly low," Naomi Buckwalter, director of product security at Contrast Security, said in a statement shared with The Hacker News.
"Successful exploitation of this vulnerability could be a stepping stone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, a technique called 'chaining.' This can lead to a more widespread compromise, potentially impacting other systems and applications."
Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager
UNC3886 Uses Fortinet, VMware 0-Days and Stealth Tactics in Long-Term Spying
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1293 Missing Source Correlation of Multiple Independent Data
CWE-215 Insertion of Sensitive Information Into Debugging Code
CWE-83 Improper Neutralization of Script in Attributes in a Web Page
CWE-530 Exposure of Backup File to an Unauthorized Control Sphere
Free online web security scanner
