SolarWinds recently released a patch for a newly discovered path-traversal vulnerability in Serv-U, tracked as CVE-2024-28995. The vulnerability affects SolarWinds Serv-U versions 15.4.2 HF 1 and earlier. Versions 15.4.2 HF 2 and later have been patched to mitigate the issue. Now a working PoC has been released towards exploiting the vulnerabilities
CVE-2024-28995 is a path-traversal vulnerability that allows unauthenticated attackers to retrieve arbitrary files from the filesystem. The exploit can be executed via a simple GET request to the root directory (/) with the parameters InternalDir and InternalFile specifying the target folder and file, respectively. The vulnerability arises from inadequate validation of path traversal segments (../), permitting attackers to bypass security checks.
GreyNoise Intelligence deployed an advanced honeypot to gather data on exploit attempts. The honeypot closely mimics the vulnerable Serv-U application and responds as a genuine system would. Within days, GreyNoise captured several exploit attempts, including hands-on-keyboard activity.
GreyNoise’s honeypots revealed various payloads targeting critical files like /etc/passwd and Serv-U startup logs. The data showed a mix of common and customized payloads, indicating different levels of sophistication among attackers.
SolarWinds advises all users to update to Serv-U version 15.4.2 HF 2 or later to mitigate the vulnerability.
