Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995
June 23, 2024
Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly available proof-of-concept (PoC) code.
Threat actors are actively exploiting a recently discovered vulnerability, tracked as CVE-2024-28995, in SolarWinds Serv-U software.
The vulnerability CVE-2024-28995 is a high-severity directory transversal issue that allows attackers to read sensitive files on the host machine. The flaw was discovered and reported by Hussein Daher.
Experts at threat intelligence firm GreyNoise reported that threat actors are actively exploiting a public available proof-of-concept (PoC) exploit code.
“SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.” reads the advisory.
The flaw was disclosed on June 6, it impacts Serv-U 15.4.2 HF 1 and previous versions.
GreyNoise researchers started investigating the issue after Rapid7 published technical details about the flaw and PoC exploit code. GitHub users bigb0x also shared a proof-of-concept (PoC) and a bulk scanner for the SolarWinds Serv-U CVE-2024-28995 directory traversal vulnerability.
“The vulnerability is very simple, and accessed via a GET
request to the root (/
) with the arguments InternalDir
and InternalFile
set to the desired file. The idea is that InternalDir
is the folder, and they attempt to validate there are no path-traversal segments (../
). InternalFile
is the filename.” reported GreyNoise.
GreyNoise researchers started observing exploitation attempts for this issue over the weekend.
Some failed attempts relied on copies of publicly available PoC exploits, others attempts were associated to attackers with a better knowledge of the attack.
“We see people actively experimenting with this vulnerability – perhaps even a human with a keyboard. The route between this vulnerability and RCE is tricky, so we’ll be curious to see what people attempt!” states GreyNoise.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SolarWinds Serv-U)