Hackers exploit SolarWinds Serv-U CVE-2024-28995 flaw. 5,500-9,500 systems at risk. Apply Hotfix 2 now to prevent unauthorized data access

Continue reading
The cybersecurity landscape is facing a critical threat with the active exploitation of a path traversal vulnerability in SolarWinds Serv-U software. This vulnerability, identified as CVE-2024-28995, poses significant risks to unpatched systems, demanding immediate attention and remediation. The flaw allows unauthenticated attackers to read arbitrary files on affected systems by manipulating HTTP GET requests. This technical analysis delves into the nuances of the vulnerability, the exploitation methods observed, and the necessary mitigation measures.
CVE-2024-28995 is a high-severity directory traversal vulnerability in several SolarWinds Serv-U products, including:
The flaw arises from insufficient validation of path traversal sequences, allowing attackers to bypass security checks and access sensitive files. This vulnerability is particularly concerning as it does not require authentication, making it an attractive target for threat actors.
Exploiting this flaw enables attackers to read files from the filesystem, potentially exposing sensitive data and leading to further compromise. The affected versions of the software are widely deployed, amplifying the potential impact. Older versions (15.3.2 and earlier) are also vulnerable but will be unsupported after February 2025.
The availability of public PoC exploits has accelerated the exploitation of CVE-2024-28995. Over the weekend, Rapid7 analysts published a detailed technical write-up, outlining the steps to exploit this vulnerability. Following this, an independent researcher released a PoC exploit and a bulk scanner on GitHub, further simplifying the attack process.
Analysts from GreyNoise set up a honeypot to monitor exploitation attempts. They observed a range of attack strategies, from manual attempts to automated scripts.
These requests exploit the path traversal flaw to access critical files like `/etc/passwd` on Linux and `win.ini` on Windows, which contain valuable configuration data.
The exploitation process involves crafting HTTP GET requests that manipulate the directory paths to traverse the filesystem. By bypassing security checks, attackers can access files outside the intended directories.
SolarWinds released version 15.4.2 Hotfix 2 (15.4.2.157) on June 5, 2024, which addresses this vulnerability by improving the validation of path traversal sequences. Administrators should apply this update immediately to mitigate the risk.
These scripts demonstrate the simplicity of exploiting CVE-2024-28995, underscoring the need for prompt patching.
The active exploitation of CVE-2024-28995 in SolarWinds Serv-U products highlights the critical importance of timely vulnerability management. Unpatched systems are at high risk of compromise, with attackers leveraging publicly available exploits to access sensitive data. System administrators must apply the latest updates from SolarWinds to mitigate this threat. Continuous monitoring and adherence to security best practices are essential to safeguard against such vulnerabilities.
By following the structured format and rigorous analysis, this technical research provides a comprehensive understanding of the CVE-2024-28995 exploitation, offering actionable insights for cybersecurity professionals.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.