June 20, 2024 at 11:54AM
Threat actors are actively exploiting a SolarWinds Serv-U path-traversal vulnerability using publicly available proof-of-concept exploits. The CVE-2024-28995 flaw allows unauthenticated attackers to read arbitrary files from the filesystem. SolarWinds released a fix, but public exploits are available, making it crucial for administrators to apply the security updates promptly.
Based on the meeting notes, the key takeaways are:
1. There is active exploitation of a SolarWinds Serv-U path-traversal vulnerability (CVE-2024-28995) by threat actors using publicly available proof-of-concept (PoC) exploits.
2. The vulnerability is a high-severity directory traversal flaw that impacts SolarWinds products, including Serv-U FTP Server 15.4, Serv-U Gateway 15.4, Serv-U MFT Server 15.4, and Serv-U File Server 15.4.2.126 and earlier.
3. SolarWinds released a hotfix, version 15.4.2.157, on June 5, 2024, to address the CVE-2024-28995 vulnerability.
4. Public exploits for the vulnerability are available, and Rapid7 analysts have published detailed steps to exploit the vulnerability, along with an independent researcher releasing a PoC exploit and bulk scanner for CVE-2024-28995 on GitHub.
5. GreyNoise has set up a honeypot to monitor and analyze exploitation attempts for CVE-2024-28995 and has observed various attack strategies, including manual and automated attempts using platform-specific path traversal sequences.
6. Attackers are targeting specific files to escalate privileges or explore secondary opportunities in breached networks, and cases of failed attempts and persistent, adaptable attackers have been reported.
It is crucial for system administrators to apply the available fixes, including the hotfix released by SolarWinds, as soon as possible to mitigate the risk posed by this vulnerability.