June 21, 2024 at 09:21AM
Threat actors are exploiting a recently patched SolarWinds Serv-U vulnerability (CVE-2024-28995) using public proof-of-concept code, as reported by GreyNoise. The vulnerability allows unauthorized access to sensitive files on the host machine. Rapid7 published a technical writeup on successfully exploiting the issue, warning of its trivial exploitability. SolarWinds customers are urged to update to Serv-U version 15.4.2 Hotfix 2 to fully address the bug. Attempts to exploit the vulnerability have been observed, with varying levels of success, prompting concerns of potential widespread exploitation.
Key takeaways from the meeting notes are as follows:
1. Threat actors have been exploiting a high-severity directory transversal vulnerability (CVE-2024-28995) in SolarWinds Serv-U.
2. The flaw was addressed in Serv-U 15.4.2 hotfix 2, and Rapid7 has published a technical writeup detailing the successful exploitation of the vulnerability on both Windows and Linux using version 15.4.2.126 of the appliance.
3. The vulnerability is trivially exploitable, allowing unauthenticated attackers to read any file on disk if the path is known and the file is not locked.
4. Cybersecurity firm, GreyNoise, reported that exploitation of CVE-2024-28995 began shortly after the publication of PoC code targeting it.
5. Some attackers showed persistence and better understanding of the attack method, with attempts targeting credentials, Serv-U FTP server startup logs, and Windows configuration settings.
6. One attacker, likely Chinese-speaking, was observed refining their exploit over four hours and experimenting with various payloads.
The meeting notes also highlighted related vulnerabilities in other systems, such as the Chrome 126 update and unpatched Akuvox Smart Intercom vulnerabilities.