CVE-2024-28995: SolarWinds Serv-U Path Traversal Exploited — Patch Now
- [01] Immediate impact: Attackers are actively exploiting an unauthenticated path traversal vulnerability to read sensitive system files and credentials from vulnerable servers.
- [02] Affected systems: SolarWinds Serv-U Managed File Transfer and Serv-U Gateway versions prior to 15.4.2 Hotfix 2 are susceptible to this flaw.
- [03] Remediation: Organizations must immediately update SolarWinds Serv-U to version 15.4.2 HF 2 to prevent unauthorized data exfiltration.
SolarWinds has released an emergency fix for a high-severity CVE affecting its Serv-U Managed File Transfer (MFT) and Serv-U Gateway products. According to SecurityWeek, the vulnerability, identified as CVE-2024-28995, is already being exploited in the wild. This vulnerability is a path traversal flaw that allows unauthenticated, remote attackers to access files outside the intended web root, potentially exposing sensitive configuration data, passwords, and system logs.
Technical Analysis of CVE-2024-28995
The CVSS score of 8.6 reflects the ease with which this flaw can be leveraged. Unlike more complex vulnerabilities that require chained exploits or valid credentials, CVE-2024-28995 can be triggered via specially crafted requests. Specifically, unauthenticated attackers can use directory traversal sequences to bypass security controls and read arbitrary files on the host operating system. While this does not directly result in RCE (Remote Code Execution), the information disclosed—such as service account credentials or environmental variables—can facilitate Lateral Movement or a full system takeover in subsequent attack phases.
Security researchers have observed that the exploitation often involves simple GET or POST requests directed at vulnerable endpoints. Because the flaw exists in the way Serv-U handles file paths, an attacker can escape the restricted folder environment and request files like /etc/passwd on Linux systems or sensitive Windows configuration files. This path traversal vulnerability in SolarWinds Serv-U is particularly dangerous for organizations that host the service on the public internet to facilitate file transfers with external partners.
How to Detect CVE-2024-28995 Exploit Attempts
For SOC analysts, monitoring for this threat requires a focus on web server logs and ingress traffic. When investigating how to detect CVE-2024-28995 exploit attempts, defenders should search for unusual URL patterns containing traversal strings (e.g., ”../” or its encoded variants) targeted at the Serv-U interface. If your SIEM ingests HTTP logs, alerts should be configured for any unauthenticated requests that result in the successful retrieval of system-level files.
Furthermore, EDR solutions should be monitored for suspicious read operations originating from the Serv-U process (Serv-U.exe or similar). Any instance of the Serv-U service account accessing files in the /etc/ directory or Windows\System32 folder without a valid administrative reason should be treated as a high-fidelity IoC.
Remediation and Mitigation Strategies
The primary defense against this threat is the immediate application of official patches. SolarWinds has made the fix available in Serv-U version 15.4.2 Hotfix 2 (15.4.2.157). Administrators should prioritize this update, as public proof-of-concept (PoC) code is already circulating, and threat actors are actively scanning for vulnerable instances.
SolarWinds Serv-U 15.4.2 Patch Guidance
When applying the SolarWinds Serv-U 15.4.2 patch guidance, organizations should verify that both the MFT server and any Serv-U Gateway instances are updated simultaneously. After patching, it is a recommended security practice to rotate any credentials that may have been stored in cleartext or reversible formats within the Serv-U configuration files. Since the vulnerability was exploited prior to the public announcement, defenders must assume that sensitive data may have already been compromised.
In addition to patching, organizations should adopt a Zero Trust architecture for file transfer services. Restricting access to the Serv-U management console to specific IP ranges and implementing multi-factor authentication for all users can reduce the TTP options available to an attacker. While these measures do not fix the underlying path traversal, they provide layers of defense that can prevent an initial compromise from escalating into a major data breach.
Advertisement