← Back to Daily Briefing

CVE-2024-28995 is a high-severity path traversal vulnerability in SolarWinds Serv-U (versions 15.4.2 HF 1 and prior) that allows unauthenticated remote attackers to read arbitrary files from the host system. The flaw exists in the BuildLocalPath method due to improper validation of the InternalDir and InternalFile parameters, enabling attackers to bypass directory restrictions via crafted GET requests. Given confirmed active exploitation by both automated scanners and manual threat actors, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 17, 2024. Immediate remediation via upgrade to version 15.4.2 HF 2 is required to prevent sensitive system data exfiltration.

  • Vulnerability Analysis: Path Traversal Logic

    • The flaw originates from an input validation failure within the BuildLocalPath function used to resolve file requests.
    • Attackers can manipulate the InternalDir and InternalFile parameters to traverse outside the intended root directory.
    • Successful exploitation allows the retrieval of any file on the disk that is not exclusively locked by another process.
    • The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
  • Exploitation Vectors & Observed Patterns

    • Exploitation is performed via unauthenticated GET requests to the server root, making it trivially exploitable.
    • Threat intelligence from GreyNoise indicates a mix of automated mass-scanning and "hands-on-keyboard" manual attacks.
    • Attackers typically target sensitive configuration files, binary files, and user credentials to facilitate further system compromise.
    • Public proof-of-concept (PoC) code and bulk scanners have been released, accelerating the weaponization cycle.
  • Risk Impact & Data Exposure

    • The vulnerability enables "smash-and-grab" attacks where adversaries quickly exfiltrate data for extortion or lateral movement.
    • High operational risk due to the potential exposure of system-level credentials and internal configuration data.
    • CVSS v3.1 scores range from 7.5 to 8.6, reflecting the low attack complexity and lack of required privileges.
    • Potential for secondary impacts, including server instability or crashes, depending on the files targeted during traversal.
  • CISA Mandate & Regulatory Requirements

    • Inclusion in the KEV catalog mandates that US Federal Government agencies apply patches within strict timelines (per BOD 22-01).
    • The KEV designation serves as a high-priority signal for all organizations to prioritize this patch over standard maintenance cycles.
    • CISA's action was prompted by reliable evidence of in-the-wild exploitation targeting MFT (Managed File Transfer) solutions.
  • Remediation & Defensive Strategy

    • Immediate upgrade to SolarWinds Serv-U 15.4.2 HF 2 is the only definitive fix to eliminate the traversal vector.
    • Organizations should deploy IPS signatures, such as those provided by FortiGuard, to detect and block InternalDir traversal attempts.
    • Security teams should audit system logs for unusual GET requests targeting root directories and verify the integrity of sensitive system files.
    • Implementing strict network segmentation and limiting the exposure of MFT interfaces can reduce the reachable attack surface.

Related posts

  1. Cisa
  2. Wiu
  3. Cybersecuritynews
  4. CISA Cybersecurity Advisories — CISA Adds One Known Exploited Vulnerability to Catalog
  5. feeds.feedburner.com — CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog
  6. Securityaffairs
  7. Github
  8. Scworld
  9. Bleepingcomputer
  10. Rapid7
  11. Kkm-mako
  12. Securityonline
  13. Nvd
  14. Sentinelone
  15. The Hacker News — CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog
  16. Threat-modeling
  17. Sansec
  18. Tenable
  19. Fortiguard
  20. Ionix
  21. Labs
  22. Sonicwall
  23. Cve
  24. Ncsc
  25. Tenable
  26. Sara-open
  27. Digital
  28. Github
  29. Greynoise
  30. Reddit
  31. Mondoo
  32. Windowsforum
  33. Security Affairs
  34. Youtube
  35. Mallory
  36. Windowsforum
  37. App
  38. threat-modeling.com — Vulnerability Intelligence Report — June 8, 2026
  39. helpnetsecurity.com — CISA: Patch actively exploited SolarWinds Serv-U DoS vulnerability (CVE-2026-28318)
  40. CISA Cybersecurity Advisories — CISA Adds Three Known Exploited Vulnerabilities to Catalog
  41. cyberscoop.com — CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector
  42. SC Media — CISA to reevaluate risk prioritization for critical infrastructure and federal agencies
  43. Cyberwarrior76
  44. Cve
  45. Tenable
  46. Nvd
  47. cybersecuritydive.com — CISA gives agencies new vulnerability remediation deadlines that take risk levels into account
  48. cyberscoop.com — CISA directive orders agencies to prioritize vulnerability patching in a new way
  49. runzero.com — BOD 26-04: A new era of prioritized remediation
  50. The Record by Recorded Future — CISA to require federal agencies to patch some cyber vulnerabilities within 3 days
  51. Cisa
  52. Afcea
  53. Doncio
  54. Blog
  55. Reddit
  56. Cisa
  57. Wiley
  58. Cisa
  59. Vistrada
  60. Adaptiva
  61. Industrial Cyber — CISA BOD 26-04 directs agencies to prioritize exploited vulnerabilities and assess compromise before patching
  62. bleepingcomputer.com — CISA tells govt agencies to patch critical exploited flaws in 3 days
  63. Infosecurity-magazine
  64. Securityweek
  65. Nucleussec
  66. Executivegov
  67. feeds.feedburner.com — CISA BOD 26-04: Frequently asked questions about the new risk-based patching directive
  68. Community
  69. Automox
  70. Cisa
  71. Cybersecuritydive
  72. Resilientcyber
  73. techjacksolutions.com — CISA Compresses Federal Vulnerability Remediation Window to Three Days Amid AI-Accelerated Threats
  74. Securityboulevard
  75. App
  76. Youtube
  77. Techtarget
  78. Psilvas
  79. Hipaajournal
  80. Dark Reading — CISA Rewrites Federal Patching Requirements for AI Threat Era
  81. SC Media — CISA gives agencies 3 days to patch maximum severity Ivanti vulnerability

LINK COPIED TO CLIPBOARD