CVE-2024-28995: SolarWinds Serv-U Exploit Leads to Server Crashes

The Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) catalog to include a high-severity flaw impacting SolarWinds Serv-U. The vulnerability, tracked as CVE-2024-28995, is a directory traversal issue that allows unauthenticated threat actors to read arbitrary files on the host system. According to Bleeping Computer, security researchers and federal authorities have observed attackers expanding their operations from simple data theft to causing denial-of-service conditions by crashing targeted servers.

Technical Analysis of the SolarWinds Serv-U 15.4.2 HF 1 Directory Traversal

This CVE originates from improper validation of URI paths within the Serv-U management console and file transfer interface. By sending a specially crafted GET request, an attacker can bypass folder restrictions and traverse the file system. In many observed instances, this is used to access sensitive system files such as /etc/passwd on Linux or win.ini and configuration files on Windows hosts.

While the vulnerability does not provide direct RCE out of the box, the ability to read configuration files often facilitates further compromise. Attackers can extract credentials or session tokens that enable Privilege Escalation within the application or the broader network. More recently, exploitation attempts have resulted in service instability. When the application fails to handle malformed traversal requests or when specific system files are accessed in a way that locks the process, the Serv-U service may hang or terminate, leading to a complete outage for file transfer operations.

How to detect CVE-2024-28995 exploit attempts

Security teams should focus on identifying unusual web requests in their HTTP logs. Indicators of compromise typically include repeated occurrences of dot-dot-slash sequences (../) or their URL-encoded equivalents. Because the flaw is being actively exploited in the wild, SOC analysts must correlate these log entries with any unexpected service restarts or file access alerts.

Monitoring for this specific TTP is essential for organizations that cannot patch immediately. However, manual detection is often insufficient against automated scanning tools. Implementing EDR rules that trigger when the Serv-U process (Serv-U.exe or similar) accesses system files outside of its installation directory is a highly effective way to identify IoC patterns associated with this vulnerability. Integrating these logs into a SIEM can provide the necessary visibility to catch early-stage reconnaissance before an attacker moves toward Lateral Movement.

SolarWinds Serv-U Patch Guidance and Remediation

SolarWinds has released a hotfix to address this issue. The vulnerability affects Serv-U FTP Server, Serv-U Gateway, and Serv-U MFT Server. Organizations running version 15.4.2 HF 1 or any earlier version are at risk. The CVSS score of 8.6 reflects the severity of the data exposure, but CISA’s addition to the KEV catalog emphasizes that the risk is not theoretical.

To remediate the threat, administrators must upgrade to SolarWinds Serv-U version 15.4.2 HF 2. Given that this is a Zero-Day style threat for unpatched systems, CISA has set a strict deadline for federal agencies to apply the update. Private sector organizations should follow suit, especially those in critical infrastructure sectors that rely on Serv-U for secure data exchange.