SolarWinds Patches Multiple High-Severity Vulnerabilities in Serv-U and its Platform

June 7, 2024

SolarWinds, a leading provider of IT management software, has issued patches to rectify numerous high-risk vulnerabilities present in its Serv-U software and the SolarWinds Platform. These vulnerabilities are present in versions up to and including Platform 2024.1 SR 1.

One of the vulnerabilities, designated as CVE-2024-28996, was reported by a penetration tester who is associated with NATO. The flaw, which has a Common Vulnerability Scoring System (CVSS) score of 7.5, is a read-only subset of SQL, known as SWQL. This allows users to query the SolarWinds database for network information. The advisory indicates that the complexity of launching an attack exploiting this vulnerability is high.

In addition to the vulnerabilities within its own software, SolarWinds has also addressed several flaws within third-party companies. These include a race condition issue and a stored XSS bug in the web console, tracked as CVE-2024-28999 (CVSS score 6.4) and CVE-2024-29004 (CVSS score 7.1), respectively.

SolarWinds has also rectified numerous bugs in third-party components, such as Angular, the public API function BIO_new_NDEF, the OpenSSL RSA Key generation algorithm, and the x86_64 Montgomery squaring procedure in OpenSSL.

To address these vulnerabilities, SolarWinds released version 2024.2 of its software. At this time, it is not clear whether any of these vulnerabilities have been exploited in real-world attacks.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.