CISA Adds SolarWinds Serv-U Vulnerability CVE-2024-28995 to KEV Catalog
CVE-2024-28995 is a high-severity path traversal vulnerability in SolarWinds Serv-U (versions 15.4.2 HF 1 and prior) that allows unauthenticated remote attackers to read arbitrary files from the host system. The flaw exists in the BuildLocalPath method due to improper validation of the InternalDir and InternalFile parameters, enabling attackers to bypass directory restrictions via crafted GET requests. Given confirmed active exploitation by both automated scanners and manual threat actors, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 17, 2024. Immediate remediation via upgrade to version 15.4.2 HF 2 is required to prevent sensitive system data exfiltration.
-
Vulnerability Analysis: Path Traversal Logic
- The flaw originates from an input validation failure within the
BuildLocalPathfunction used to resolve file requests. - Attackers can manipulate the
InternalDirandInternalFileparameters to traverse outside the intended root directory. - Successful exploitation allows the retrieval of any file on the disk that is not exclusively locked by another process.
- The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
- The flaw originates from an input validation failure within the
-
Exploitation Vectors & Observed Patterns
- Exploitation is performed via unauthenticated GET requests to the server root, making it trivially exploitable.
- Threat intelligence from GreyNoise indicates a mix of automated mass-scanning and "hands-on-keyboard" manual attacks.
- Attackers typically target sensitive configuration files, binary files, and user credentials to facilitate further system compromise.
- Public proof-of-concept (PoC) code and bulk scanners have been released, accelerating the weaponization cycle.
-
Risk Impact & Data Exposure
- The vulnerability enables "smash-and-grab" attacks where adversaries quickly exfiltrate data for extortion or lateral movement.
- High operational risk due to the potential exposure of system-level credentials and internal configuration data.
- CVSS v3.1 scores range from 7.5 to 8.6, reflecting the low attack complexity and lack of required privileges.
- Potential for secondary impacts, including server instability or crashes, depending on the files targeted during traversal.
-
CISA Mandate & Regulatory Requirements
- Inclusion in the KEV catalog mandates that US Federal Government agencies apply patches within strict timelines (per BOD 22-01).
- The KEV designation serves as a high-priority signal for all organizations to prioritize this patch over standard maintenance cycles.
- CISA's action was prompted by reliable evidence of in-the-wild exploitation targeting MFT (Managed File Transfer) solutions.
-
Remediation & Defensive Strategy
- Immediate upgrade to SolarWinds Serv-U 15.4.2 HF 2 is the only definitive fix to eliminate the traversal vector.
- Organizations should deploy IPS signatures, such as those provided by FortiGuard, to detect and block
InternalDirtraversal attempts. - Security teams should audit system logs for unusual GET requests targeting root directories and verify the integrity of sensitive system files.
- Implementing strict network segmentation and limiting the exposure of MFT interfaces can reduce the reachable attack surface.
Related posts
- Cisa
- Wiu
- Cybersecuritynews
- CISA Cybersecurity Advisories — CISA Adds One Known Exploited Vulnerability to Catalog
- feeds.feedburner.com — CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog
- Securityaffairs
- Github
- Scworld
- Bleepingcomputer
- Rapid7
- Kkm-mako
- Securityonline
- Nvd
- Sentinelone
- The Hacker News — CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog
- Threat-modeling
- Sansec
- Tenable
- Fortiguard
- Ionix
- Labs
- Sonicwall
- Cve
- Ncsc
- Tenable
- Sara-open
- Digital
- Github
- Greynoise
- Mondoo
- Windowsforum
- Security Affairs
- Youtube
- Mallory
- Windowsforum
- App
- threat-modeling.com — Vulnerability Intelligence Report — June 8, 2026
- helpnetsecurity.com — CISA: Patch actively exploited SolarWinds Serv-U DoS vulnerability (CVE-2026-28318)
- CISA Cybersecurity Advisories — CISA Adds Three Known Exploited Vulnerabilities to Catalog
- cyberscoop.com — CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector
- SC Media — CISA to reevaluate risk prioritization for critical infrastructure and federal agencies
- Cyberwarrior76
- Cve
- Tenable
- Nvd
- cybersecuritydive.com — CISA gives agencies new vulnerability remediation deadlines that take risk levels into account
- cyberscoop.com — CISA directive orders agencies to prioritize vulnerability patching in a new way
- runzero.com — BOD 26-04: A new era of prioritized remediation
- The Record by Recorded Future — CISA to require federal agencies to patch some cyber vulnerabilities within 3 days
- Cisa
- Afcea
- Doncio
- Blog
- Cisa
- Wiley
- Cisa
- Vistrada
- Adaptiva
- Industrial Cyber — CISA BOD 26-04 directs agencies to prioritize exploited vulnerabilities and assess compromise before patching
- bleepingcomputer.com — CISA tells govt agencies to patch critical exploited flaws in 3 days
- Infosecurity-magazine
- Securityweek
- Nucleussec
- Executivegov
- feeds.feedburner.com — CISA BOD 26-04: Frequently asked questions about the new risk-based patching directive
- Community
- Automox
- Cisa
- Cybersecuritydive
- Resilientcyber
- techjacksolutions.com — CISA Compresses Federal Vulnerability Remediation Window to Three Days Amid AI-Accelerated Threats
- Securityboulevard
- App
- Youtube
- Techtarget
- Psilvas
- Hipaajournal
- Dark Reading — CISA Rewrites Federal Patching Requirements for AI Threat Era
- SC Media — CISA gives agencies 3 days to patch maximum severity Ivanti vulnerability