CVE-2024-28995
Published: 06 June 2024
Summary
CVE-2024-28995 is a high-severity Path Traversal (CWE-22) vulnerability in Solarwinds Serv-U. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
SolarWinds Serv-U is affected by a directory traversal vulnerability tracked as CVE-2024-28995 and assigned CWE-22. The flaw allows an attacker to read sensitive files on the underlying host machine and carries a CVSS 3.1 score of 8.6 reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high confidentiality impact.
Unauthenticated remote attackers can exploit the weakness over the network to retrieve arbitrary files without authentication, potentially exposing credentials, configuration data, or other sensitive information stored on the Serv-U host.
SolarWinds has published mitigation guidance in its security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28995. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog.
The associated EPSS score currently stands at 0.9440 with a recorded peak of 0.9647, indicating a high likelihood of exploitation in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26057
Vulnerability details
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
- CWE(s)
- KEV Date Added
- 17 July 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates file-path inputs to reject directory traversal sequences before they can reach the underlying file system.
Requires prompt application of vendor patches that eliminate the path-traversal flaw in Serv-U.
Enforces access-control policy on files so that even a successful traversal cannot return data the subject is not authorized to read.