SolarWinds Serv-U Vulnerability Under Active Attack – Patch Immediately

A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.

The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.

Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month.

The list of products susceptible to CVE-2024-28995 is below –

• Serv-U FTP Server 15.4
• Serv-U Gateway 15.4
• Serv-U MFT Server 15.4, and
• Serv-U File Server 15.4

Security researcher Hussein Daher of Web Immunify has been credited with discovering and reporting the flaw. Following the public disclosure, additional technical details and a proof-of-concept (PoC) exploit have since been made available.

Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit and that it allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file and it’s not locked.

“High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims,” it said.

“File transfer products have been targeted by a wide range of adversaries the past several years, including ransomware groups.”

Indeed, according to threat intelligence firm GreyNoise, threat actors have already begun to conduct opportunistic attacks weaponizing the flaw against its honeypot servers to access sensitive files like /etc/passwd, with attempts also recorded from China.

With previous flaws in Serv-U software exploited by threat actors, it’s imperative that users apply the updates as soon as possible to mitigate potential threats.

“The fact that attackers are using publicly available PoCs means the barrier to entry for malicious actors is incredibly low,” Naomi Buckwalter, director of product security at Contrast Security, said in a statement shared with The Hacker News.

“Successful exploitation of this vulnerability could be a stepping stone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, a technique called ‘chaining.’ This can lead to a more widespread compromise, potentially impacting other systems and applications.”