Exploitation of SolarWinds Serv-U Vulnerability Detected – Apply Patch Immediately
An actively exploited high-severity flaw that has been recently patched affects SolarWinds Serv-U file transfer software.
The vulnerability, known as CVE-2024-28995 (CVSS score: 8.6), revolves around a directory traversal flaw that enables unauthorized users to access critical files on the host machine.
This flaw impacts all previous versions of the software, including Serv-U 15.4.2 HF 1, and was resolved by the company in release Serv-U 15.4.2 HF 2 (15.4.2.157) issued earlier this month.
The list of products vulnerable to CVE-2024-28995 includes –
- Serv-U FTP Server 15.4
- Serv-U Gateway 15.4
- Serv-U MFT Server 15.4, and
- Serv-U File Server 15.4
The flaw was discovered and reported by security researcher Hussein Daher from Web Immunify. Post the public disclosure, additional technical information and a demonstration (PoC) exploit have been released.
Rapid7, a cybersecurity organization, described this vulnerability as easy to exploit, allowing external unauthorized users to view any file on disk, even binary files, provided they have the file path and it is not restricted.
“Information leakage flaws of high severity like CVE-2024-28995 may be exploited in quick hit-and-run attacks where hackers infiltrate and swiftly siphon data from file transfer solutions in an extortion attempt,” it stated.
“File transfer products have been deliberately targeted by various offenders in recent years, including ransomware groups.”
Threat intelligence firm GreyNoise confirmed that malicious actors have started to execute opportunistic attacks by exploiting the vulnerability against their decoy servers to access crucial files such as /etc/passwd, with attack attempts also originating from China.
Given the history of threat actors exploiting prior vulnerabilities in Serv-U software, it is vital for users to promptly apply the updates to minimize potential risks.
“The fact that malevolent actors are utilizing publicly available PoCs implies that the threshold for entry by malicious entities is extremely low,” quoted Naomi Buckwalter, director of product security at Contrast Security, in a statement shared with The Hacker News.
“Successful exploitation of this vulnerability could serve as a launchpad for intruders. Through access to sensitive data like credentials and system files, hackers can leverage that data for subsequent attacks, a method known as ‘chaining.’ This could result in a broader breach, potentially impacting other systems and applications.”
About Author
