Cyber Resilience

CVE-2024-45711

High

Published: 16 October 2024

Published
16 October 2024
Modified
17 October 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1069 93.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45711 is a high-severity Path Traversal (CWE-22) vulnerability in Solarwinds Serv-U. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

SolarWinds Serv-U is affected by a directory traversal vulnerability, identified as CVE-2024-45711 and assigned CWE-22, that can permit remote code execution depending on the privileges assigned to an authenticated user. The flaw is triggered through abuse of software environment variables and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, high complexity, low privileges required, and high impact across confidentiality, integrity, and availability.

An authenticated user can exploit the issue remotely, though the high attack complexity limits the conditions under which code execution or other unauthorized actions become possible.

The SolarWinds advisory published at https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-45711 provides official guidance on the vulnerability. The associated EPSS score has remained flat at 0.1069 with no material rise observed since disclosure.

EU & UK References

Vulnerability details

SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are…

more

abused. Authentication is required for this vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

solarwinds
serv-u
≤ 15.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References