- 183/2024
- High
SolarWinds has released a security update to address a vulnerability across multiple SolarWinds products.
The addressed vulnerability could allow the unauthenticated attacker to traverse directories and read sensitive files from the host machine on the affected system by sending specific HTTP GET requests.
SolarWinds Serv-U Directory Traversal Vulnerability (CVE-2024-28995):
- CVSS: 8.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
Affected Products:
- Serv-U FTP Server 15.4.
- Serv-U Gateway 15.4.
- Serv-U MFT Server 15.4.
- Serv-U File Server 15.4.2.126 and earlier.
- Older versions (15.3.2 and earlier) are also affected but will reach the end of life in February 2025 and are already unsupported.
It should be highlighted that SolarWinds is aware that the vulnerability “CVE-2024-28995” is being exploited in the wild.
Vulnerabilities
CVE-2024-28995
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.