Unchecked SolarWinds file-transfer weakness could invite malicious exploitation, experts caution
Breaking News: High-Severity Vulnerability Discovered in SolarWinds Serv-U
SolarWinds, the technology company still reeling from the fallout of the 2020 Sunburst attacks, is facing a new challenge. Researchers at Rapid7 have identified a high-severity directory traversal vulnerability in SolarWinds Serv-U file-transfer service, listed as CVE-2024-28995.
This vulnerability, with a CVSS score reported as critical at 10.0 or 8.6 depending on source, allows an unauthenticated attacker to manipulate file paths and gain unauthorized read access to sensitive files on the host machine running Serv-U.
The practical implications of this vulnerability are significant. Unauthorized access to confidential files can facilitate the theft of intellectual property, personal data, or credentials, enabling broader network compromise or espionage. Attackers can leverage stolen data to extort victims by threatening disclosure or combining this with ransomware attacks, increasing pressure for ransom payments. Access to sensitive files might reveal additional vulnerabilities or credentials, allowing attackers lateral movement or privilege escalation within the victim’s environment.
Examples of similar directory traversal vulnerabilities leading to severe breaches have been seen in other vendor products, such as Cisco Unified CM’s static root account CVE-2025-20309, which facilitated complete system takeover.
Mitigation involves timely patching of the SolarWinds Serv-U product, as vendors have released updates since the vulnerability disclosure in July 2024. Enterprises are also advised to monitor for exploitation attempts and restrict access to Serv-U services per best security practices.
Stephen Fewer, principal security researcher at Rapid7, advises companies to immediately patch the vulnerability. Rapid7 researchers warn that exploitation activity for this vulnerability could begin soon.
SolarWinds has patched the Serv-U vulnerability, but is not aware of any evidence that it has been exploited. The Serv-U product is a file sharing solution, and confidentiality for every file read by an attacker is lost.
The Securities and Exchange Commission filed civil charges against SolarWinds and its CISO in 2023, claiming it misled investors about security capabilities. SolarWinds continues to deal with the fallout from these allegations.
In a bid to share learnings with the wider security community since the Sunburst attacks, SolarWinds has worked closely with federal officials. The company is communicating with customers to apply the previously issued mitigations for the Serv-U vulnerability.
Previous high-severity vulnerabilities like CVE-2024-28995 have been targeted in smash-and-grab situations. Hackers have quickly gained access to victims and used the exfiltrated data for extortion. Examples of such campaigns include vulnerabilities in MOVEit file-transfer service (CVE-2023-34362), GoAnywhere MFT (CVE-2023-0669), and more recently in CrushFTP (CVE-2024-4040).
In summary, CVE-2024-28995 in SolarWinds Serv-U represents a severe risk due to its exploitation enabling unauthorized file reads on Windows servers, active exploitation by attackers using PoC code, potential consequences including data exfiltration, extortion, and network compromise, and the necessity for prompt patching and monitoring to prevent abuse.
The discovery of a high-severity directory traversal vulnerability in SolarWinds Serv-U file-transfer service, CVE-2024-28995, adds to the tech company's ongoing cybersecurity challenges. This vulnerability could potentially facilitate the theft of sensitive data, including intellectual property, personal data, or credentials, leading to further network compromise or espionage. Companies are advised to prioritize timely patching of the SolarWinds Serv-U product and follow best data-and-cloud-computing security practices to mitigate risk.
