Serv-U FTP Service Directory Traversal Remote Code Execution Vulnerability

(CVE-2024-45711)

Summary

SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated. This is present when software environment variables are abused. Authentication is required for this vulnerability.

Affected Products

Serv-U 15.4.2 and previous versions

Fixed Software Release

Serv-U 15.5

Acknowledgments

Anonymous working with Trend Micro Zero Day Initiative

Advisory Details

Severity

7.5 High

Advisory ID

CVE-2024-45711

First Published

10/16/2024

Last Published

10/16/2024

Fixed Version

Serv-U 15.5

CVSS Score

7.5 CVSS: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H