CVE-2024-28995: SolarWinds Serv-U Path/Directory Traversal Vulnerability Exploited in the Wild

Following the publication of proof-of-concept exploit details for a high-severity flaw in SolarWinds Serv-U, researchers have observed both automated and manual in-the-wild exploitation attempts; patching is strongly advised.

Background

On June 5, SolarWinds published an advisory for a vulnerability in its Serv-U file transfer protocol (FTP) and managed file transfer (MFT) solutions:

Analysis

CVE-2024-28995 is a path or directory traversal vulnerability in SolarWinds Serv-U. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable server. Successful exploitation would allow an attacker to read files from the underlying operating system, which may include sensitive information such as user data (which may include encrypted passwords), the Serv-U server log file and other files.

SolarWinds Serv-U historically exploited in targeted attacks

In 2021, SolarWinds patched CVE-2021-35211, a zero-day vulnerability in Serv-U that was exploited in the wild against a “limited, targeted” set of customers. The flaw was disclosed to SolarWinds by Microsoft, who attributed the flaw to a group called Circle Typhoon (also known as DEV-0322 and TiltedTemple).

Managed file transfer are generally ideal targets for ransomware groups

Over the last four years, managed-file transfer solutions like Serv-U have been targeted by opportunistic attackers seeking to steal sensitive data and extort victims. Most of these attacks targeting MFTs have been conducted by the nefarious Cl0p ransomware group, which exploited four flaws in Accellion’s File Transfer Appliance (FTA) in 2020, Fortra’s GoAnywhere MFT in January 2023, and Progress Software’s MOVEit Transfer MFT in May 2023.

In-the-wild exploitation attempts observed for CVE-2024-28995

On June 18, researchers at GreyNoise published a blog post confirming observations of in-the-wild exploitation attempts of CVE-2024-28995 against its honeypots. These include both automated exploitation attempts using public proof-of-concept exploit details as well as manual exploitation (hands-on-keyboard) attempts. Customers who use Serv-U FTP or MFT should apply the available patch for this flaw as soon as possible.

Proof of concept

On June 13 and June 14, researchers published technical details about CVE-2024-28995 and a proof-of-concept exploit script. These exploit details were cited as being used as part of in-the-wild exploitation attempts observed by GreyNoise on June 18.

Solution

According to SolarWinds advisory, SolarWinds Serv-U versions 15.4.2 HF 1 and prior are affected by CVE-2024-28995. SolarWinds released Serv-U 15.4.2 HF 2 to address this flaw. With in-the-wild exploitation now observed, customers are strongly advised to patch as soon as possible.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-28995 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• SolarWinds Serv-U Directory Traversal Vulnerability (CVE-2024-28995)
• SolarWinds Serv-U (CVE-2024-28995) exploitation: We see you!
• CVE-2021-35211: SolarWinds Serv-U Managed File Transfer Zero-Day Vulnerability Exploited in Targeted Attacks

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.