Threat actors are actively exploiting <\/strong>a recently discovered vulnerability, tracked as CVE-2024-28995<\/a>, in SolarWinds Serv-U software.<\/p>\n\n\n\n
“SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.” reads the advisory<\/a>.<\/p>\n\n\n\n
The flaw was disclosed on June 6, it impacts Serv-U 15.4.2 HF 1 and previous versions.<\/p>\n\n\n\n
GreyNoise researchers started investigating the issue after Rapid7 published technical details about the flaw and PoC exploit code<\/a>. GitHub users bigb0x<\/a> also shared a proof-of-concept (PoC) and a bulk scanner<\/a> for the SolarWinds Serv-U CVE-2024-28995 directory traversal vulnerability. <\/p>\n\n\n\n
“The vulnerability is very simple, and accessed via a\u00a0GET<\/code>\u00a0request to the root (
\/<\/code>) with the arguments\u00a0
InternalDir<\/code>\u00a0and\u00a0
InternalFile<\/code>\u00a0set to the desired file. The idea is that\u00a0
InternalDir<\/code>\u00a0is the folder, and they attempt to validate there are no path-traversal segments (
..\/<\/code>).\u00a0
InternalFile<\/code>\u00a0is the filename.”
reported<\/strong><\/a> GreyNoise.
“We see people actively experimenting with this vulnerability – perhaps even a human with a keyboard. The route between this vulnerability and RCE is tricky, so we\u2019ll be curious to see what people attempt!” states GreyNoise<\/a>.<\/em>
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0SolarWinds Serv-U)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"