On June 5, 2024, SolarWinds published an advisory detailing CVE-2024-28995 - a path-traversal vulnerability in Serv-U, discovered by Hussein Daher. Our Labs team - with our brand new deception engineer - seized this opportunity to deploy a new honeypot they've been working on. It's supposed to look more real - and vulnerable! - than past honeypots.

What did they discover?

They show off all kinds of information gleaned from their honeypot - who's attacking it, what files they're trying to steal, how often they come back, and more.

But, that's not all!

They actually managed to capture a live attacker making several copy/paste mistakes, and attempting to correct the exploit only to foul it up again! They track the attacker's progress over the course of 4 hours, including one instance where they sent the completely wrong exploit (which happens to be for an unpatched vulnerability!).

Check out the full blog on GreyNoise Labs to learn more about this vulnerability and our observations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account