CVE-2024-45711: 
Serv-U Managed File Transfer Server vulnerability analysis and mitigation

SolarWinds Serv-U versions 15.4.2 and earlier contain a directory traversal vulnerability (CVE-2024-45711) that was disclosed on October 16, 2024. The vulnerability allows for potential remote code execution through the abuse of software environment variables, but requires user authentication to exploit. This security issue affects the Serv-U FTP Service component (SolarWinds Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) by SolarWinds with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, while NIST assigned a higher CVSS score of 8.8. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). The issue specifically involves directory traversal that could lead to remote code execution, with the extent of potential damage dependent on the authenticated user's privilege level (NVD).

If successfully exploited, this vulnerability could allow an authenticated attacker to execute remote code on the affected system, with the potential impact determined by the privileges assigned to the authenticated user. The vulnerability affects the confidentiality, integrity, and availability of the system, as indicated by the high ratings in all three categories in the CVSS score (Rapid7).

SolarWinds has released version 15.5 of Serv-U to address this vulnerability. Organizations are strongly advised to upgrade to this latest version to mitigate the risk. The patch was made available on October 16, 2024, coinciding with the vulnerability's disclosure (SolarWinds Advisory).