CVE-2024-28995
published 2024-06-06CVE-2024-28995: SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-08-07
Exploited in the wild
EPSS
99.61%
99.9th percentile
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u | < 15.4.2 | 15.4.2 |
| solarwinds | serv-u | — | — |
| solarwinds | solarwinds_serv-u | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: ["root:.*:0:0:", "\\[(font|extension|file)s\\]"] condition: or
- →Detect exploitation attempts by monitoring HTTP GET requests containing the query parameters 'InternalDir' and 'InternalFile' with directory traversal sequences (e.g., '../', '..\'). ↗
- →Responses containing 'root:.*:0:0:' (Linux /etc/passwd content) or '[fonts]', '[extensions]', '[files]' sections (Windows win.ini content) in the HTTP body indicate successful exploitation. ↗
- →Confirm Serv-U is present in the HTTP response header ('Serv-U' in header) combined with HTTP 200 status to identify vulnerable/targeted servers. ↗
- →Use Shodan query 'html:"Serv-U"' or FOFA query 'server="Serv-U"' to identify internet-exposed Serv-U instances for proactive asset discovery. ↗
- →Exploitation is unauthenticated and requires no user interaction; any GET request with traversal sequences in InternalDir/InternalFile parameters from external IPs should be treated as a high-priority alert. ↗
- →Both automated (PoC-based) and manual (hands-on-keyboard) exploitation attempts have been observed in the wild; look for repeated or iterative traversal attempts from the same source IP as indicators of manual attacker activity. ↗
- ·Only SolarWinds Serv-U versions 15.4.2 HF 1 and prior are vulnerable; version 15.4.2 HF 2 (15.4.2.157) contains the fix. Ensure patched version is confirmed before deprioritizing alerts. ↗
- ·The vulnerability affects Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4 — all three product lines should be assessed, not just the FTP server component. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck8.6HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gr87-q8xh-gq3c: SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine
ghsa_unreviewed·2024-06-06
CVE-2024-28995 [HIGH] CWE-22 GHSA-gr87-q8xh-gq3c: SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
VulnCheck
SolarWinds Serv-U Path Traversal Vulnerability
vulncheck·2024·CVSS 8.6
CVE-2024-28995 [HIGH] CWE-22 SolarWinds Serv-U Path Traversal Vulnerability
SolarWinds Serv-U Path Traversal Vulnerability
SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine.
Affected: SolarWinds Serv-U
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-25&host_type=src&vulnerability=cve-2024-28995; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-27&host_type=src&vulnerability=cve-2024-28995; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-28&host_t
CISA
SolarWinds Serv-U Path Traversal Vulnerability
cisa·2024-07-17·CVSS 7.5
CVE-2024-28995 [HIGH] CWE-22 SolarWinds Serv-U Path Traversal Vulnerability
Vulnerability: SolarWinds Serv-U Path Traversal Vulnerability
Affected: SolarWinds Serv-U
SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995; https://nvd.nist.gov/vuln/detail/CVE-2024-28995
Remediation Due Date: 2024-08-07
Suricata
ET EXPLOIT Solarwinds Serv-U Directory Traversal Attempt Inbound (CVE-2024-28995)
suricata·2024-06-23·CVSS 8.6
CVE-2024-28995 [HIGH] ET EXPLOIT Solarwinds Serv-U Directory Traversal Attempt Inbound (CVE-2024-28995)
ET EXPLOIT Solarwinds Serv-U Directory Traversal Attempt Inbound (CVE-2024-28995)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Solarwinds Serv-U Directory Traversal Attempt Inbound (CVE-2024-28995)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?InternalDir="; fast_pattern; pcre:"/^.{0,10}(?:\x2f|\x5c|%5[Cc]|%2[Ff])?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"&InternalFile="; reference:url,www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/; reference:cve,2024-28995; classtype:attempted-admin; sid:2053801; rev:2; metadata:affected_product SolarWinds, created_at 2024_06_23, cve CVE_2024_28995, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag
Exploit-DB
SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
exploitdb·2025-05-29·CVSS 8.6
CVE-2024-28995 [HIGH] SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
---
# Exploit Title: SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
# Date: 2025-05-28
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.solarwinds.com/serv-u-managed-file-transfer-server
# Software Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server/registration
# Version: =1.26.0 , colorama>=0.4.4 , requests>=2.25.0
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import concurrent.futures
import json
import os
import re
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed
from urllib.parse import urlparse
import requests
from colorama import Fore, Back, Style, init
# Initialize colorama
init(aut
Metasploit
SolarWinds Serv-U Unauthenticated Arbitrary File Read
metasploit
SolarWinds Serv-U Unauthenticated Arbitrary File Read
SolarWinds Serv-U Unauthenticated Arbitrary File Read
This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.
Nuclei
SolarWinds Serv-U - Directory Traversal
nuclei·CVSS 7.5
CVE-2024-28995 [HIGH] SolarWinds Serv-U - Directory Traversal
SolarWinds Serv-U - Directory Traversal
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
Template:
id: CVE-2024-28995
info:
name: SolarWinds Serv-U - Directory Traversal
author: DhiyaneshDK
severity: high
description: |
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
impact: |
Attackers can traverse directories and access sensitive files outside the intended directory structure.
remediation: |
Update SolarWinds Serv-U to a version that patches the directory traversal vulnerability.
reference:
- https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis
- https://nvd.nist.gov/vuln/detai
Bleepingcomputer
CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
blogs_bleepingcomputer·2026-06-05·CVSS 7.5
CVE-2026-28318 [HIGH] CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
## CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.
Serv-U is the company's Windows and Linux file transfer software that offers Managed File Transfer (MFT) and FTP server capabilities, which allow users to securely exchange files via HTTP/HTTPS, FTP, FTPS, and SFTP.
SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday to patch this denial-of-service vulnerability (tracked as CVE-2026-28318 ) and said it stems from an uncontrolled resource consumption weakness.
"SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service w
Bleepingcomputer
Critical SolarWinds Serv-U flaws offer root access to servers
blogs_bleepingcomputer·2026-02-24·CVSS 9.0
[CRITICAL] Critical SolarWinds Serv-U flaws offer root access to servers
## Critical SolarWinds Serv-U flaws offer root access to servers
## Sergiu Gatlan
SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers.
Serv-U is the company's self-hosted Windows and Linux file transfer software that comes with both Managed File Transfer (MFT) and FTP server capabilities, enabling organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S.
The most severe of the four security flaws patched by SolarWinds today in Serv-U 15.5.4 is tracked as CVE-2025-40538, and it allows attackers with high privileges to gain root or admin permissions on vulnerable servers.
"A broken access control vulnerability exists in Serv-U which, when exploited, gives
Greynoiseio
What Are Hackers Searching for in SolarWinds Serv-U (CVE-2024-28995)?
blogs_greynoiseio·2024-09-30·CVSS 8.6
[HIGH] What Are Hackers Searching for in SolarWinds Serv-U (CVE-2024-28995)?
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
CVE-2024-28995: SolarWinds Serv-U Path/Directory Traversal Vulnerability Exploited in the Wild
blogs_tenable·2024-06-21·CVSS 8.6
[HIGH] CVE-2024-28995: SolarWinds Serv-U Path/Directory Traversal Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
SolarWinds Serv-U (CVE-2024-28995) exploitation: We see you!
blogs_greynoiseio·2024-06-18·CVSS 8.6
[HIGH] SolarWinds Serv-U (CVE-2024-28995) exploitation: We see you!
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter June 2024
blogs_greynoiseio
NoiseLetter June 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-06-06
Published
2024-07-17
Added to CISA KEV
Exploited in the wild