Threat actors are leveraging public proof-of-concept (PoC) code in the first attempts to exploit a recently patched SolarWinds Serv-U vulnerability, threat intelligence company GreyNoise reports.
The exploited flaw, tracked as CVE-2024-28995, is a high-severity directory transversal vulnerability that allows attackers to read sensitive files on the host machine.
SolarWinds disclosed the bug on June 6, when it announced that Serv-U 15.4.2 hotfix 1 and previous versions, including Serv-U FTP Server, Serv-U Gateway, and Serv-U MFT Server, are affected. The flaw was addressed in Serv-U 15.4.2 hotfix 2.
While the vendor did not share further details on CVE-2024-28995, Rapid7 last week published a technical writeup after successfully exploiting the issue on both Windows and Linux, using version 15.4.2.126 of the appliance with all default installation options enabled.
The cybersecurity firm warned that the security defect was trivially exploitable, allowing an unauthenticated attacker to read any file on disk, if the attacker knows the path and the file is not locked.
The cybersecurity firm also warned that the flaw could soon be exploited in the wild, urging SolarWinds customers to update their Serv-U instances to version 15.4.2 Hotfix 2 (15.4.2.157) as soon as possible, as it fully addresses the bug.
Exploitation of CVE-2024-28995, GreyNoise says, started over the weekend, shortly after Rapid7 published details and PoC code targeting it. Another researcher also released a PoC exploit, along with a scanner.
Some of the observed attempts used copies of the publicly available PoC exploits and failed, while others showed persistence and better understanding of the attack method. Most attacks targeted credentials, Serv-U FTP server startup logs, and Windows configuration settings.
One of the attackers, likely a Chinese-speaking individual, was seen conducting hands-on-keyboard activities, refining their exploit with each failed attempt, and experimenting with various payloads for four hours, GreyNoise says.
Related: Chrome 126 Update Patches Vulnerability Exploited at Hacking Competition
Related: Unpatched Akuvox Smart Intercom Vulnerabilities Can Be Exploited for Spying
Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products