CVE-2024-28995

Published Jun 6, 2024

Last updated 3 months ago

Exploit knownCVSS high 8.6
web application
Supply chain

Overview

Description
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
Source
psirt@solarwinds.com
NVD status
Analyzed
Products
serv-u

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
SolarWinds Serv-U Path Traversal Vulnerability
Exploit added on
Jul 17, 2024
Exploit action due
Aug 7, 2024
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@solarwinds.com
CWE-22
nvd@nist.gov
CWE-22

Social media

Hype score
Not currently trending

  1. Actively exploited CVE : CVE-2024-28995

    @transilienceai

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Actively exploited CVE : CVE-2024-28995

    @transilienceai

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. πŸ’₯ CVE-2024-28995 Full RCE POC by Z3RONYX πŸ’€ Exploit from 0 to advanced professional, please subscribe to my YouTube channel https://t.co/5ILUXcnvH8 rootπŸ€ŸπŸ»πŸš€ https://t.co/MPINqC8rsh

    @Z3R0NYX

    26 Jul 2025

    322 Impressions

    0 Retweets

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  4. πŸ”΄ #SolarWinds Serv-U Directory Traversal Vulnerability (#CVE-2024-28995) - Critical - Critical https://t.co/4h0WMb3HMK

    @dailycve

    29 Nov 2024

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Actively exploited CVE : CVE-2024-28995

    @transilienceai

    30 Oct 2024

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerabilityβ€’CVE-2026-41940
  2. Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.β€’CVE-2026-5735
  3. Apache ActiveMQ Improper Input Validation Vulnerabilityβ€’CVE-2026-34197
  4. Fortinet FortiClient EMS Improper Access Control Vulnerabilityβ€’CVE-2026-35616
  5. Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.β€’CVE-2026-2699

References

Sources include official advisories and independent security research.