Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Recent SolarWinds Serv-U Vulnerability Exploited in the Wild

Threat actors are exploiting a recent path traversal vulnerability in SolarWinds Serv-U using public PoC code.

SolarWinds

Threat actors are leveraging public proof-of-concept (PoC) code in the first attempts to exploit a recently patched SolarWinds Serv-U vulnerability, threat intelligence company GreyNoise reports.

The exploited flaw, tracked as CVE-2024-28995, is a high-severity directory transversal vulnerability that allows attackers to read sensitive files on the host machine.

SolarWinds disclosed the bug on June 6, when it announced that Serv-U 15.4.2 hotfix 1 and previous versions, including Serv-U FTP Server, Serv-U Gateway, and Serv-U MFT Server, are affected. The flaw was addressed in Serv-U 15.4.2 hotfix 2.

While the vendor did not share further details on CVE-2024-28995, Rapid7 last week published a technical writeup after successfully exploiting the issue on both Windows and Linux, using version 15.4.2.126 of the appliance with all default installation options enabled.

The cybersecurity firm warned that the security defect was trivially exploitable, allowing an unauthenticated attacker to read any file on disk, if the attacker knows the path and the file is not locked.

The cybersecurity firm also warned that the flaw could soon be exploited in the wild, urging SolarWinds customers to update their Serv-U instances to version 15.4.2 Hotfix 2 (15.4.2.157) as soon as possible, as it fully addresses the bug.

Exploitation of CVE-2024-28995, GreyNoise says, started over the weekend, shortly after Rapid7 published details and PoC code targeting it. Another researcher also released a PoC exploit, along with a scanner.

Some of the observed attempts used copies of the publicly available PoC exploits and failed, while others showed persistence and better understanding of the attack method. Most attacks targeted credentials, Serv-U FTP server startup logs, and Windows configuration settings.

Advertisement. Scroll to continue reading.

One of the attackers, likely a Chinese-speaking individual, was seen conducting hands-on-keyboard activities, refining their exploit with each failed attempt, and experimenting with various payloads for four hours, GreyNoise says.

Related: Chrome 126 Update Patches Vulnerability Exploited at Hacking Competition

Related: Unpatched Akuvox Smart Intercom Vulnerabilities Can Be Exploited for Spying

Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights