SolarWinds Serv-U vulnerability under attack

A high-severity vulnerability in SolarWinds Serv-U file transfer product is being actively exploited.

In a security advisory on June 5, SolarWinds disclosed a Serv-U directory transversal vulnerability, tracked as CVE-2024-28995, that scored a CVSS of 8.6. SolarWinds warned that exploitation could allow an unauthenticated attacker to read sensitive files on the host machine and urged users to upgrade to the fixed version of Serv-U 15.4.2 HF 2.

Now, following a proof-of-concept exploit published on June 13, the Centre for Cybersecurity Belgium (CCB) confirmed exploitation against CVE-2024-29884 has begun. CCB issued a warning to X, formerly Twitter, on Thursday and urged users to patch.

"Warning: CVE-2024-28995, a high severity path traversal vulnerability in @solarwinds Serv-U is now actively exploited. Update to the latest version to avoid exploitation," CCB wrote.

Warning: CVE-2024-28995, a high severity path traversal vulnerability in @solarwinds Serv-U is now actively exploited. Update to the latest version to avoid exploitation! See our advisory from the 10th of June for more details: https://t.co/HYZkhXT2ce #Patch #Patch #Patch

— CCB Alert (@CCBalert) June 20, 2024

CCB initially reported on the flaw in an advisory published on June 10. Like SolarWinds, CCB also warned that an attacker could exploit the flaw to access files on vulnerable machines running the Serv-U software. CCB added that upgrades do not protect users from previous compromises, so the use of monitoring and detection tools is important.

However, CCB said the vulnerability did not score beyond an 8.6 CVSS because exploitation doesn't allow an attacker to make any changes to the files.

"Path transversal vulnerabilities are known to have a low complexity to exploit, which is also the case for CVE-2024-28995. Combined with the changed scope of this vulnerability, which allows attackers to access sensitive files on the host machine, it is critical to update your SolarWinds Serv-U instance to v15.4.2 Hotfix 2 as soon as possible to avoid any disclosure of sensitive files on the host machine," CCB wrote in the advisory.

Stephen Fewer, principal security researcher at Rapid7, published a blog detailing CVE-2024-28995 on June 11. Fewer stressed that Rapid7's vulnerability research team also confirmed the flaw is "trivially exploitable." He warned that an unauthenticated attacker could exploit it to read any unlocked files on vulnerable machines.

"High severity information disclosures issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims," Fewer wrote in the blog.

He added that file transfer products are a popular target for threat actors, including ransomware gangs. For example, last year, the Clop ransomware group exploited a zero-day vulnerability in Progress Software's MoveIt Transfer product that affected more than two thousand downstream customer organizations.

Rapid7 told TechTarget Editorial it has not observed exploitation of CVE-2024-28895 at this time.

TechTarget Editorial contacted SolarWinds for comment.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.