Active Exploitation reported of SolarWinds Serv-U
Take action: If you are using SolarWinds Serv-U older versions, patch ASAP. You can't avoid this, because FTP servers are designed to be visible on the internet.
Learn More
Threat actors are actively exploiting a severe path-traversal vulnerability in SolarWinds Serv-U, tracked as CVE-2024-28995 (CVSS score of 7.5), allows unauthenticated attackers to read any file on the filesystem by crafting unique HTTP GET requests.
The vulnerability arises from insufficient validation of path traversal sequences, enabling attackers to bypass security measures and access sensitive files.
Affected versions are older versions of Serv-U, 15.3.2 and earlier, which will reach the end of life in February 2025. SolarWinds has released the 15.4.2 Hotfix 2 (version 15.4.2.157) on June 5, 2024, to mitigate this vulnerability by implementing enhanced validation procedures. Many systems remain unpatched, leaving them vulnerable to exploitation.
Rapid7 analysts recently published a technical report detailing the exploitation of this directory traversal vulnerability. An independent researcher also released a PoC exploit and a bulk scanner for CVE-2024-28995 on GitHub, increasing the risk of widespread attacks. Rapid7 estimates that between 5,500 and 9,500 instances exposed to the internet are potentially vulnerable.
GreyNoise set up a honeypot mimicking a vulnerable Serv-U system to observe exploitation attempts. Attack methods include both manual and automated attempts, using platform-specific path traversal sequences to bypass security checks. Common payloads include:
- For Windows: GET /?InternalDir=/../../../../windows&InternalFile=win.ini
- For Linux: GET /?InternalDir=........etc&InternalFile=passwd
System administrators are urged to apply the available patches immediately to protect their systems.
