HomeCyber SecuritySolarWinds Serv-U Vulnerability Under Active Attack: Patch Immediately

SolarWinds Serv-U Vulnerability Under Active Attack: Patch Immediately

SolarWinds Serv-U Vulnerability: Overview of the Vulnerability

SECRY – CVE-2024-28995 – A high-severity vulnerability in SolarWinds Serv-U file transfer software, tracked as CVE-2024-28995 with a CVSS score of 8.6, is being actively exploited by malicious actors. This directory traversal bug allows attackers to read sensitive files on the host machine. SolarWinds disclosed the vulnerability on June 5 2024, urging users to upgrade to the fixed version, Serv-U 15.4.2 HF 2, to mitigate the threat.

Affected Products and Exploitation Details

The vulnerability affects all versions of the software prior to and including Serv-U 15.4.2 HF 1. The list of products susceptible to CVE-2024-28995 includes Serv-U FTP Server 15.4, Serv-U Gateway 15.4, Serv-U MFT Server 15.4, and Serv-U File Server 15.4. Security researcher Hussein Daher of Web Immunify discovered and reported the flaw. After the public disclosure, researchers have made additional technical details and a proof-of-concept (PoC) exploit available.

Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit. They noted that the vulnerability enables external unauthenticated attackers to read any arbitrary file on disk, provided they know the file path and it is not locked. Stephen Fewer, a principal security researcher at Rapid7, emphasized in a blog post on June 11 that the flaw is “trivially exploitable” and can lead to significant data exfiltration.

Fewer wrote, “Adversaries can use high-severity information disclosure issues like CVE-2024-28995 in smash-and-grab attacks to gain access to and quickly exfiltrate data from file transfer solutions with the goal of extorting victims.”

Expert Opinions of SolarWinds Serv-U Vulnerability

Naomi Buckwalter, director of product security at Contrast Security, also warned that attackers using publicly available PoCs significantly lower the barrier to entry for malicious actors. She explained, “Successful exploitation of this vulnerability could be a stepping stone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, a technique called ‘chaining.’ This can lead to a more widespread compromise, potentially impacting other systems and applications.”

Confirmation and Warning from CCB

Following the PoC exploit publication on June 13, the Centre for Cybersecurity Belgium (CCB) confirmed that exploitation of CVE-2024-28995 has begun. CCB issued a warning on X, formerly known as Twitter, urging users to patch their systems immediately.

Warning: @solarwinds Serv-U is actively exploiting CVE-2024-28995, a high-severity path traversal vulnerability. Update to the latest version to avoid exploitation,” CCB posted.

CCB’s advisory from June 10 highlighted that although the vulnerability does not allow attackers to alter files, it still poses a significant risk by granting access to sensitive data. They emphasized the importance of using monitoring and detection tools in addition to applying the update.

Moreover, threat intelligence firm GreyNoise observed that threat actors have started opportunistic attacks using this vulnerability against its honeypot servers. These attackers aim to access sensitive files, such as /etc/passwd, with attempts traced back to China.

Historical Context and Recommendations

The history of threat actors exploiting previous flaws in Serv-U software underscores the urgency to apply the patch. Rapid7 and other security experts stress the necessity of updating to Serv-U 15.4.2 HF 2 to mitigate potential threats.

“A spokesperson from Rapid7 said that a wide range of adversaries, including ransomware groups, have targeted file transfer products over the past several years.” The Clop ransomware group, for instance, exploited a zero-day vulnerability in Progress Software’s MoveIt Transfer product, impacting over two thousand downstream customer organizations last year.


To protect against this active exploitation, it is imperative that users of SolarWinds Serv-U products apply the necessary updates immediately. Ensuring systems are up-to-date and monitoring for any suspicious activity will help mitigate the risks associated with CVE-2024-28995.

–This article was written in collaboration with


A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.



Please enter your comment!
Please enter your name here

four + 2 =

Most Popular


- Advertisement -