FortiGuard Labs Warns of Active Exploitation of SolarWinds Serv-U Vulnerability

FortiGuard Labs Warns of Active Exploitation of SolarWinds Serv-U Vulnerability

Threat actors are actively exploiting a directory traversal vulnerability, CVE-2024-28995, which could allow attackers to access “sensitive data.”

Researchers at cybersecurity firm Fortinet have issued a warning about the active exploitation of a vulnerability in SolarWinds Serv-U file transfer software.

FortiGuard Labs issued this warning in a Threat Signals Report published on the night of July 17.

“This vulnerability, tracked as CVE-2024-28995, is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending custom requests to the target host machine,” FortiGuard Labs said in its report.

“Successful exploitation could allow access to sensitive files on the host machine. CISA added CVE-2024-28995 to its catalog of known exploited vulnerabilities (KEV) on July 17, 2024, and publicly available proof-of-concept (PoC) exploit code is available.”

FortiGuard Labs’ advice is to apply a patch or upgrade the installation.

SolarWinds disclosed CVE-2024-28995 on June 6, along with a patch for the vulnerability; however, in the week since, Rapid7 researchers have predicted that hackers will eventually take advantage of the “trivially exploitable” bug.

“High severity information disclosure issues such as CVE-2024-28995 can be used in smash-and-grab attacks where adversaries access data from file transfer solutions and attempt to quickly exfiltrate it in an attempt to extort victims,” Rapid7 said at the time.

“File transfer products have been targeted by a wide range of adversaries in recent years, including ransomware groups.”

At the time of writing, Rapid7 reported that there were between 5,000 and 10,000 exposed Serv-U installations, although not all were vulnerable. FortiGuard Labs telemetry suggests that there are currently 165 exposed machines online.

SolarWinds said at the time that it was not aware of any active exploits and was “transparently communicating with customers to ensure they are aware of the steps they need to take to patch and better protect their environments.”

Cyber ​​Daily has reached out to SolarWinds for comment.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, working for a range of print and online titles over the course of his career. He enjoys getting his feet wet in cybersecurity, especially when it allows him to talk about Lego.

Leave a Comment