Researchers from Greynoise, specializing in threat intelligence, have reported in their recent report that attackers are actively exploiting a public exploit for the vulnerability CVE-2024-28995 in SolarWinds Serv-U software.
The CVE-2024-28995 vulnerability is classified as high criticality with a CVSS score of 8.6 points, involving the bypass of catalogs that allows attackers to read sensitive files on a host machine. This vulnerability was disclosed on June 6 and affects Serv-U version 15.4.2 HF 1 and earlier.
Greynoise specialists initiated an investigation after Rapid7 published technical details and a proof-of-concept exploit code. A GITHUB user known as “Bigb0x” also shared a POC and a scanner for widespread vulnerability checks in SolarWinds Serv-U.
“The vulnerability is quite simple and is executed through a GET request to the root (/) with parameters of Internetir and Internalfile pointing to the desired file,” explained Greynoise. “Internetir represents a directory and verifies for absence of directory traversal segments (../), while Internalfile is the file name.”
Since last weekend (June 15-16), Greynoise researchers have observed attempts to exploit this vulnerability. Some unsuccessful attempts were based on publicly available POC exploits, while others were more sophisticated and likely conducted by knowledgeable hackers.
Experts warn that ongoing exploitation attempts could have serious implications for security. They advise system administrators using SolarWinds Serv-U to promptly update their software to the latest versions to address the CVE-2024-28995 vulnerability.