SolarWinds has fixed a critical vulnerability in SolarWinds' widely-used Serv-U managed file transfer server that could allow remote attackers to access sensitive data.
The flaw tracked as CVE-2024-28995, is a directory traversal vulnerability present in Serv-U versions 15.4.2 HF1 and earlier.
The Serv-U solutions, which include the Serv-U FTP server and Serv-U MFT (Managed File Transfer) server, are enterprise-grade file transfer products used across industries to enable secure file sharing and data transfers.
However, the recently discovered vulnerability could permit an unauthenticated remote attacker to leverage a relatively straightforward attack to gain unauthorized read access to any file on the target server.
"Successful exploitation allows an external unauthenticated attacker to read sensitive files on the vulnerable server, including binary files, as long as the attacker knows the file path and the target file is not locked by another process," explained researchers from the cybersecurity firm Rapid7 in a blog post analyzing the vulnerability.
Independent cybersecurity researcher Hussein Daher is credited with initially discovering and reporting the vulnerability to SolarWinds. The vulnerability has been assigned a high severity rating, with a CVSS base score indicating it can be exploited remotely without user interaction via a low-complexity attack.
While SolarWinds has not received any reports of active exploitation attempts targeting this flaw so far, cybersecurity experts warn that public disclosure could quickly lead to real-world attacks considering the severity of the bug and the ubiquity of Serv-U deployments.
According to the FoFa -cybersecurity search engine, there could be well over 194,000 Serv-U instances potentially exposed to attacks over the internet.
ππ Deep analysis of CVE-2024-28995 Solarwinds Ser-U Directory Traversal Vulnetability
— FofaBot (@fofabot) June 13, 2024
Analysis Linkπ: https://t.co/JPCd6Y4v1g
π―194k Results are found on the https://t.co/pb16tGYaKe nearly year.
FOFA Linkπ: https://t.co/xAQaoGRkWh
FOFA Query: app="SolarWinds-Serv-U-FTP"… pic.twitter.com/9uFUjqEhMd
The PoC of the vulnerability has also been drooped on the internet
File transfer products have emerged as a lucrative target for various threat actors, including ransomware gangs and cybercriminal groups, in recent years due to the sensitive nature of data transferred over such solutions.
To mitigate the risk, SolarWinds has released Serv-U 15.4.2 HF2 which includes a patch for CVE-2024-28995.
Administrators are strongly advised to update their Serv-U servers immediately to the latest patched version. Delaying the installation of security updates, even briefly, can provide ample opportunity for attackers to infiltrate vulnerable systems.