Alert essentials:
A directory traversal is being actively exploited in SolarWinds Serv-U. A successful hacker can read files from the underlying operating system.

Upgrade the Serv-U version with the available hotfix.

Email Team


Detailed threat description:
A high-severity directory traversal vulnerability in SolarWinds Serv-U is being exploited in the wild. The vulnerability arises from inadequate validation of path traversal segments that permit attackers to bypass security checks. The exploit can be executed via a simple GET request to the root directory.

Fueled by a proof-of-concept publication in mid-June, this exploit could compromise the system or lateral movement within the network. Information disclosures are often used in ‘smash-and-grab’ attacks that allow threat actors to access and quickly exfiltrate data to extort victims.

Prevent hackers from using this flaw against environments by immediately upgrading SolarWinds Serv-U to version 15.4.2 HF2!


Impacts on healthcare organizations:
Threats to healthcare systems continue to threaten the availability of patient data, which is one of the most vital needs in the health and medical industry. Internal threats arise from inappropriate access to sensitive data, while external threats arise from external exploitation of vulnerable healthcare information systems. Ensure adequate system protection by correctly installing and configuring equipment and securing the networks that connect the tools.


Affected products / versions:

  • Serv-U FTP Server 15.4
  • Serv-U Gateway 15.4
  • Serv-U MFT Server 15.4


CVEs

  • CVE-2024-28995


Recommendations

Engineering recommendations:

  • Update older versions of SolarWinds Serv-U to version 15.4.2 HF2

Leadership / program recommendations:

  • Structure patching programs to allow timely application of security patches

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.


References: