SolarWinds Patches Multiple High-Severity Vulnerabilities in Serv-U and its Platform

June 7, 2024

SolarWinds, a leading provider of IT management software, has issued patches to rectify numerous high-risk vulnerabilities present in its Serv-U software and the SolarWinds Platform. These vulnerabilities are present in versions up to and including Platform 2024.1 SR 1.

One of the vulnerabilities, designated as CVE-2024-28996, was reported by a penetration tester who is associated with NATO. The flaw, which has a Common Vulnerability Scoring System (CVSS) score of 7.5, is a read-only subset of SQL, known as SWQL. This allows users to query the SolarWinds database for network information. The advisory indicates that the complexity of launching an attack exploiting this vulnerability is high.

In addition to the vulnerabilities within its own software, SolarWinds has also addressed several flaws within third-party companies. These include a race condition issue and a stored XSS bug in the web console, tracked as CVE-2024-28999 (CVSS score 6.4) and CVE-2024-29004 (CVSS score 7.1), respectively.

SolarWinds has also rectified numerous bugs in third-party components, such as Angular, the public API function BIO_new_NDEF, the OpenSSL RSA Key generation algorithm, and the x86_64 Montgomery squaring procedure in OpenSSL.

To address these vulnerabilities, SolarWinds released version 2024.2 of its software. At this time, it is not clear whether any of these vulnerabilities have been exploited in real-world attacks.

Latest News

• Critical Remote Code Execution Vulnerability in PHP for Windows: All Versions Impacted
• Surge in Attacks on Check Point VPN Zero-Day Flaw: An Urgent Call for Immediate Action
• RansomHub Ransomware Actors Exploit ZeroLogon Vulnerability in Recent Attacks
• High-Profile TikTok Accounts Hacked Through Direct Messages
• Zyxel Rolls Out Urgent Security Patch for End-of-Life NAS Devices