{"id":164806,"date":"2024-06-23T08:23:37","date_gmt":"2024-06-23T08:23:37","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164806"},"modified":"2024-06-23T08:23:39","modified_gmt":"2024-06-23T08:23:39","slug":"solarwinds-serv-u-cve-2024-28995-exploit","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164806\/hacking\/solarwinds-serv-u-cve-2024-28995-exploit.html","title":{"rendered":"Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995"},"content":{"rendered":"
<\/div>\n

Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly available proof-of-concept (PoC) code.<\/h2>\n\n\n\n

Threat actors are actively exploiting <\/strong>a recently discovered vulnerability, tracked as CVE-2024-28995<\/a>, in SolarWinds Serv-U software.<\/p>\n\n\n\n

The vulnerability CVE-2024-28995 is a high-severity directory transversal issue that allows attackers to read sensitive files on the host machine. The flaw was discovered and reported by Hussein Daher.<\/p>\n\n\n\n

Experts at threat intelligence firm GreyNoise reported that threat actors are actively exploiting a public available proof-of-concept (PoC) exploit code. <\/p>\n\n\n\n

“SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.” reads the advisory<\/a>.<\/p>\n\n\n\n

The flaw was disclosed on June 6, it impacts Serv-U 15.4.2 HF 1 and previous versions.<\/p>\n\n\n\n

GreyNoise researchers started investigating the issue after Rapid7 published technical details about the flaw and PoC exploit code<\/a>. GitHub users bigb0x<\/a> also shared a proof-of-concept (PoC) and a bulk scanner<\/a> for the SolarWinds Serv-U CVE-2024-28995 directory traversal vulnerability. <\/p>\n\n\n\n

“The vulnerability is very simple, and accessed via a\u00a0GET<\/code>\u00a0request to the root (\/<\/code>) with the arguments\u00a0InternalDir<\/code>\u00a0and\u00a0InternalFile<\/code>\u00a0set to the desired file. The idea is that\u00a0InternalDir<\/code>\u00a0is the folder, and they attempt to validate there are no path-traversal segments (..\/<\/code>).\u00a0InternalFile<\/code>\u00a0is the filename.” reported<\/strong><\/a> GreyNoise.<\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n

GreyNoise researchers started observing exploitation attempts for this issue over the weekend.<\/gwmw><\/p>\n\n\n\n

Some failed attempts relied on copies of publicly available PoC exploits, others attempts were associated to attackers with a better knowledge of the attack. <\/gwmw><\/p>\n\n\n\n

“We see people actively experimenting with this vulnerability – perhaps even a human with a keyboard. The route between this vulnerability and RCE is tricky, so we\u2019ll be curious to see what people attempt!” states GreyNoise<\/a>.<\/em><\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0SolarWinds Serv-U)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly available proof-of-concept (PoC) code. Threat actors are actively exploiting a recently discovered vulnerability, tracked as CVE-2024-28995, in SolarWinds Serv-U software. The vulnerability CVE-2024-28995 is a high-severity directory transversal issue that allows attackers to read sensitive files on the host machine. […]<\/p>\n","protected":false},"author":1,"featured_media":115989,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,5,55],"tags":[15171,4112,9508,9506,10918,687,841,1533,15170],"class_list":["post-164806","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-hacking","category-security","tag-cve-2024-28995","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-pierluigi-paganini","tag-security-affairs","tag-security-news","tag-solarwinds-serv-u"],"yoast_head":"\n杭州江阴科强工业胶带有限公司