CVE-2024-28995

What is SolarWinds Serv-U?

SolarWinds Serv-U is an enterprise file transfer server supporting FTP, FTPS, SFTP, HTTP, and HTTPS protocols. It is widely deployed in enterprise, government, and healthcare environments for managed file transfer (MFT), allowing organizations to securely transfer large files internally and with external partners. Serv-U typically stores sensitive documents, financial records, compliance data, and other regulated information — and it is often accessible from the internet to support external file transfers. Because Serv-U stores high-value data and is internet-facing, it is a recurring target for file theft attacks.

Overview

CVE-2024-28995 is a path traversal vulnerability in SolarWinds Serv-U that allows an unauthenticated remote attacker to read arbitrary files from the host machine's filesystem. The Scope Changed (S:C) rating reflects that the read extends beyond the web application's intended file boundary to the host OS. Rapid7 published a proof-of-concept exploit within days of the advisory; CISA added the vulnerability to the KEV catalog in July 2024, confirming active exploitation against unpatched Serv-U servers.

Affected Versions

Technical Details

CWE-22 (Path Traversal). Serv-U processes HTTP requests that include file paths for download or directory browsing. A flaw in the server's path normalization logic allows an attacker to include directory traversal sequences (../) that are not properly stripped or canonicalized before the path is used to open a file on disk. By crafting an HTTP request with a traversal sequence that escapes the intended file root, an unauthenticated attacker can read any file that the Serv-U process has permission to access on the host OS.

The practical impact: on Windows-based Serv-U installations, this can expose C:\Windows\System32\config\SAM (password hashes), configuration files containing credentials, private key files, and any sensitive documents staged for transfer. On Linux, /etc/passwd, /etc/shadow, SSH private keys, and database credentials are accessible. The Confidentiality: High rating with Integrity: None and Availability: None reflects that this is a read-only attack — but unauthenticated arbitrary file read on an internet-facing file server is an extremely high-impact primitive.

Discovery

Discovered and disclosed by SolarWinds' security team; Rapid7's rapid analysis confirmed the vulnerability's exploitability and published a working proof-of-concept on June 10, 2024 — four days after the advisory. The quick PoC publication significantly accelerated exploitation in the wild.

Exploitation Context

Unauthenticated path traversal on internet-facing file transfer servers is immediately weaponized by opportunistic actors scanning for unpatched instances. SolarWinds Serv-U has a significant enterprise install base, making it a high-yield target. Common exploitation goals include: reading Serv-U's own configuration file (which may contain administrator credentials), harvesting OS credential files (SAM, shadow), and reading documents staged for transfer that contain financial or operational data. The ~6-week gap between the PoC and CISA KEV addition suggests mass scanning and exploitation began quickly after the PoC was published.

Remediation

1. Upgrade to SolarWinds Serv-U 15.4.2 Hotfix 2 or later immediately — apply the update from the SolarWinds customer portal.
2. If immediate patching is not possible, restrict Serv-U's internet exposure through firewall rules or a reverse proxy that limits access to authenticated sessions only.
3. Review Serv-U access logs for traversal-pattern requests (paths containing ../, ..%2F, or %2E%2E) dating back to June 2024 to determine if exploitation occurred prior to patching.
4. After patching, rotate all credentials stored in Serv-U's configuration and any credentials accessible from the server's filesystem.
5. Apply the principle of least privilege to the Serv-U service account — it should not have access to OS-level credential stores or system directories beyond its file transfer roots.