Skip to main content
close search
site logo
Dive Brief

SolarWinds file-transfer vulnerability ripe for exploitation, researchers warn

Rapid7 researchers said Serv-U CVE can easily be exploited, a similar scenario that has led to other smash-and-grab attacks.

Published June 12, 2024
David Jones's headshot
Reporter
Rendering of digital data code in safety security technology concept.
iStock/Getty Images Plus via Getty Images

Dive Brief:

  • Researchers have reproduced a high-severity vulnerability in the SolarWinds Serv-U file-transfer service that is incredibly easy to exploit, according to a blog post from Stephen Fewer, principal security researcher at Rapid7. Companies should immediately patch the vulnerability, Fewer said Tuesday.
  • The directory traversal vulnerability, listed as CVE-2024-28995, allows an unauthenticated attacker to read sensitive files on the targeted server. The vulnerability has a CVSS score of 8.6. 
  • While no exploitation activity has taken place, Rapid7 researchers warn that could change very soon and urged users to apply a hotfix that SolarWinds issued last Wednesday.

Dive Insight:

High severity vulnerabilities like CVE-2024-28995 have previously been targeted in smash-and-grab situations, Rapid7 said. In those cases, hackers have quickly gained access to victims and used the exfiltrated data for extortion.

For example, smash-and-grab campaigns took place when targeting vulnerabilities in the MOVEit file-transfer service, CVE-2023-34362; GoAnywhere MFT, CVE-2023-0669; and more recently in CrushFTP, CVE-2024-4040.

Fewer said in this case an unauthenticated attacker can read arbitrary files stored on an affected Serv-U system. 

“The impact of this is the total loss of confidentiality for every file the attacker reads,” Fewer said via email. “As the vulnerable product is a file sharing solution, by design there will be files located on the vulnerable system intended to be shared by users in a private and secure manner.”

SolarWinds has been working with customers to get them to apply the previously issued mitigations.

"We have disclosed and patched this vulnerability and are not aware of any evidence that this issue has been exploited,” a SolarWinds spokesperson said via email. "Because Serv-U is an on-premises software, we are communicating transparently with customers to ensure they are aware of the steps they should take to apply the patch and better protect their environments." 

The Serv-U vulnerability was discovered by security researcher Hussein Daher

SolarWinds continues to deal with the fallout from the 2020 Sunburst attacks, as the Securities and Exchange Commission filed civil charges in 2023 against the company and its CISO claiming it misled investors about security capabilities. 

The company has vehemently denied those charges and has worked closely with federal officials to provide learnings with the wider security community since those attacks. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell