cbcvebase.
CVE-2024-28995
published 2024-06-06

CVE-2024-28995: SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-08-07
Exploited in the wild
EPSS
99.61%
99.9th percentile
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

Affected

3 ranges
VendorProductVersion rangeFixed in
solarwindsserv-u< 15.4.215.4.2
solarwindsserv-u
solarwindssolarwinds_serv-u

Detection & IOCsextracted from sources · hover to see the quote

url/?InternalDir=/../../../../windows&InternalFile=win.ini
url/?InternalDir=\..\..\..\..\etc&InternalFile=passwd
versionSolarWinds Serv-U < 15.4.2.157 (prior to 15.4.2 Hotfix 2)
yara
regex: ["root:.*:0:0:", "\\[(font|extension|file)s\\]"] condition: or
  • Detect exploitation attempts by monitoring HTTP GET requests containing the query parameters 'InternalDir' and 'InternalFile' with directory traversal sequences (e.g., '../', '..\').
  • Responses containing 'root:.*:0:0:' (Linux /etc/passwd content) or '[fonts]', '[extensions]', '[files]' sections (Windows win.ini content) in the HTTP body indicate successful exploitation.
  • Confirm Serv-U is present in the HTTP response header ('Serv-U' in header) combined with HTTP 200 status to identify vulnerable/targeted servers.
  • Use Shodan query 'html:"Serv-U"' or FOFA query 'server="Serv-U"' to identify internet-exposed Serv-U instances for proactive asset discovery.
  • Exploitation is unauthenticated and requires no user interaction; any GET request with traversal sequences in InternalDir/InternalFile parameters from external IPs should be treated as a high-priority alert.
  • Both automated (PoC-based) and manual (hands-on-keyboard) exploitation attempts have been observed in the wild; look for repeated or iterative traversal attempts from the same source IP as indicators of manual attacker activity.
  • ·Only SolarWinds Serv-U versions 15.4.2 HF 1 and prior are vulnerable; version 15.4.2 HF 2 (15.4.2.157) contains the fix. Ensure patched version is confirmed before deprioritizing alerts.
  • ·The vulnerability affects Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4 — all three product lines should be assessed, not just the FTP server component.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck8.6HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.