Active Exploitation of SolarWinds Serv-U Path-Traversal Vulnerability

June 20, 2024

Threat actors are currently exploiting a path-traversal vulnerability in SolarWinds Serv-U, using publicly accessible proof-of-concept (PoC) exploits. While these attacks are not overly complex, they underscore the dangers posed by unpatched systems, underlining the critical need for administrators to implement security patches.

The vulnerability, known as CVE-2024-28995, is a severe directory traversal flaw that permits unauthenticated attackers to read any files from the filesystem by generating unique HTTP GET requests. This vulnerability is the result of insufficient path traversal sequence validation, allowing attackers to evade security measures and access confidential files. This flaw affects several SolarWinds products, particularly older versions (15.3.2 and earlier), which are already unsupported and will reach the end of life in February 2025.

The exploitation of this flaw could lead to unauthorized file access and potentially expose sensitive data, possibly resulting in an extended compromise. SolarWinds issued the 15.4.2 Hotfix 2, version, on June 5, 2024, to mitigate this vulnerability by implementing enhanced validation procedures.

Over a recent weekend, Rapid7 analysts published a technical report outlining detailed steps on how to exploit the directory traversal vulnerability in SolarWinds Serv-U to read arbitrary files from the affected system. The following day, an independent Indian researcher released a PoC exploit and a bulk scanner for CVE-2024-28995 on GitHub.

Rapid7 subsequently cautioned about the simplicity of exploiting the flaw, estimating that between 5,500 and 9,500 instances exposed to the internet are potentially vulnerable. GreyNoise established a honeypot that impersonates a vulnerable Serv-U system to observe and analyze attempts to exploit CVE-2024-28995. The analysts noted various attack methods, including manual exploitation attempts as well as automated ones.

Attackers utilize platform-specific path traversal sequences, circumventing security checks using incorrect slashes, which the Serv-U system later rectifies, allowing unauthorized file access. Typical payloads on Windows are 'GET /?InternalDir=/../../../../windows&InternalFile=win.ini' and on Linux it's 'GET /?InternalDir=........etc&InternalFile=passwd.' The most frequently targeted files observed by GreyNoise are: Attackers aim at these files to elevate their privileges or identify additional opportunities in the compromised network.

GreyNoise has reported instances where attackers seem to copy-paste exploits without testing, resulting in unsuccessful attempts. However, in other exploitation attempts originating from China, the attackers demonstrated persistence, adaptability, and a deeper understanding. According to GreyNoise, they experimented with different payloads and formats for four hours and modified their approach based on the server's responses.

With confirmed attacks in progress, it is imperative for system administrators to apply the available patches as soon as possible.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.