Cyber Resilience

CVE-2024-28995

HighCISA KEVActive ExploitationEUVD Exploited

Published: 06 June 2024

Published
06 June 2024
Modified
26 February 2026
KEV Added
17 July 2024
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.9440 100.0th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28995 is a high-severity Path Traversal (CWE-22) vulnerability in Solarwinds Serv-U. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

SolarWinds Serv-U is affected by a directory traversal vulnerability tracked as CVE-2024-28995 and assigned CWE-22. The flaw allows an attacker to read sensitive files on the underlying host machine and carries a CVSS 3.1 score of 8.6 reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high confidentiality impact.

Unauthenticated remote attackers can exploit the weakness over the network to retrieve arbitrary files without authentication, potentially exposing credentials, configuration data, or other sensitive information stored on the Serv-U host.

SolarWinds has published mitigation guidance in its security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28995. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog.

The associated EPSS score currently stands at 0.9440 with a recorded peak of 0.9647, indicating a high likelihood of exploitation in the wild.

EU & UK References

Vulnerability details

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

CWE(s)
KEV Date Added
17 July 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

solarwinds
serv-u
15.4.2 · ≤ 15.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates file-path inputs to reject directory traversal sequences before they can reach the underlying file system.

prevent

Requires prompt application of vendor patches that eliminate the path-traversal flaw in Serv-U.

prevent

Enforces access-control policy on files so that even a successful traversal cannot return data the subject is not authorized to read.

References