Directory Traversal Vulnerability in SolarWinds Serv-U

Security update addresses a vulnerability that could lead to unauthorised access of confidential files

Threat ID:: CC-4507
Threat Severity:: Medium
Published:: 7 June 2024 2:51 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update addresses a vulnerability that could lead to unauthorised access of confidential files

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 15.4.2 Hotfix 2

SolarWinds Serv-U

Threat details

Introduction

SolarWinds has released a security update to address a directory traversal vulnerability in Serv-U, a managed file transfer (MFT) platform. An unauthorised attacker could exploit this vulnerability to access and read confidential files on a host device. This vulnerability is rated as high with a CVSSv3 score of 8.6.

Active Exploitation of CVE-2024-28995

A public proof-of-concept is available for this vulnerability and security researchers have observed exploitation attempts in the wild.

Threat updates

Date	Update
19 Jun 2024	Exploitation and proof-of-concept of CVE-2024-28995

Remediation advice

Affected organisations are encouraged to review the SolarWinds Serv-U Directory Transversal Vulnerability (CVE-2024-28995) advisory and apply any necessary updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-28995

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

Last edited: 19 June 2024 11:03 am