Share this article on:
SolarWinds disclosed CVE-2024-28995 late last week, but security researchers expect exploitation to be only a matter of time.
A flaw in SolarWinds’ Serv-U file transfer server application has been patched, but security researchers still expect threat actors to take advantage of the vulnerability.
SolarWinds disclosed CVE-2024-28995 on 6 June, describing it as a “directory transversal vulnerability”. A hotfix was released at the same time, but now Rapid7 has revealed just how devastating the vulnerability could be.
According to Rapid7, which was able to reproduce the vulnerability, the bug is “trivially exploitable” and could lead to an unauthenticated user reading any file on the disk. All they need to know is the file path and for that file to not be locked by being already opened by another user.
“High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims,” Rapid7 said in a blog post overnight.
“File transfer products have been targeted by a wide range of adversaries over the past several years, including ransomware groups.”
For instance, a flaw in Progress Software’s MOVEit file transfer program led to the Clop ransomware gang compromising thousands of companies and the data of millions of individuals.
Rapid7 suspects there are between 5,000 and 10,000 exposed – but not necessarily vulnerable – SolarWinds Serv-U installations at the time of writing.
Rapid7 recommends users of the file transfer server to upgrade to SolarWinds Serv-U 15.4.2 HF 2 as soon as possible “without waiting for a regular patch cycle to occur”.
SolarWinds confirmed with Cyber Daily that as of writing there is no evidence of active exploitation.
"We have disclosed and patched this vulnerability and are not aware of any evidence that this issue has been exploited," a SolarWinds spokesperson said.
"Because Serv-U is an on-premises software, we are communicating transparently with customers to ensure they are aware of the steps they should take to apply the patch and better protect their environments."
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.