Connect with us

Hi, what are you looking for?



SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester

SolarWinds has released patches for high-severity vulnerabilities in Serv-U and the SolarWinds Platform.


SolarWinds this week announced patches for multiple high-severity vulnerabilities in Serv-U and the SolarWinds Platform, including a bug reported by a penetration tester working with NATO.

Rolling out as version 2024.2, the latest SolarWinds Platform iteration includes patches for three new security defects, as well as fixes for multiple bugs in third-party components.

The first issue, tracked as CVE-2024-28996, and reported by NATO Communications and Information Agency pentester Nils Putnins, is described as an SWQL injection flaw. A proprietary, read-only subset of SQL, SWQL allows users to query the SolarWinds database for network information.

SolarWinds also announced patches for two security defects impacting the web console of its platform, namely CVE-2024-28999, a race condition vulnerability, and CVE-2024-29004, a stored cross-site scripting (XSS) flaw that requires high privileges and user interaction for successful exploitation.

According to the vendor, the vulnerabilities impact SolarWinds Platform 2024.1 SR 1 and previous versions. Users are advised to update to version 2024.2 of the platform as soon as possible.

The SolarWinds Platform update also includes fixes for a medium-severity flaw in Angular and ten high- and medium-severity issues in OpenSSL, some of which were disclosed seven years ago. Most of these issues could be exploited to cause a denial-of-service (DoS) condition.

This week, SolarWinds also rolled out a hotfix for CVE-2024-28995, a high-severity directory transversal vulnerability in Serv-U that could allow attackers to read sensitive files on the host machine.

With a CVSS score of 8.6, the bug impacts Serv-U 15.4.2 hotfix 1 and previous versions, including Serv-U FTP Server, Serv-U Gateway, and Serv-U MFT Server. Serv-U 15.4.2 hotfix 2 resolves the flaw and is compatible with both Windows and Linux systems.

Advertisement. Scroll to continue reading.

SolarWinds makes no mention of any of these vulnerabilities being exploited in the wild. Users and administrators are advised to apply the available patches as soon as possible.

Related: Industry Reactions to SEC Charging SolarWinds and Its CISO: Feedback Friday

Related: SolarWinds Patches High-Severity Flaws in Access Rights Manager

Related: Hundreds of Devices With Internet-Exposed Management Interface Found in US Agencies

Related: SolarWinds Platform Update Patches High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights