If you run SolarWinds’ Serv-U, you should patch promptly. Four critical vulnerabilities in the file transfer software can allow attackers to execute code as root.
The four flaws, all of which earned a 9.1 CVSS rating, include a broken access control vulnerability (CVE-2025-40538), two type confusion bugs (CVE-2025-40540 and CVE-2025-40539), and an Insecure Direct Object Reference (IDOR) issue (CVE-2025-40541), all of which can lead to remote code execution (RCE).
The most serious of the four, CVE-2025-40538, “gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges,” according to the vendor’s security advisory.
Updating to the latest version, Serv-U 15.5.4, patches all four security holes.
In a statement to The Register, SolarWinds said, “We are aware of the reported issues and successfully addressed them as part of the Serv-U 15.5.4 release. We have not observed exploitation. We remain committed to monitoring the situation, working closely with customers and partners to ensure issues are resolved quickly. SolarWinds continues to prioritize the swift resolution of CVEs to ensure the security and integrity of our software.”
The good news is that all four require administrative privileges to abuse, and none of the new CVEs have appeared on the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) catalog of Known Exploited Vulnerabilities – yet.
However, SolarWinds’ products in general are a long-time favorite target for attackers, and CISA has added three earlier Serv-U bugs to its KEV, including one known to be used in ransomware infections.
Plus, criminals frequently abuse file sharing products (such as MOVEit, and GoAnywhere) because enterprises use them to store and transfer large volumes of highly sensitive files, such as financial records, and intellectual property, and this makes them a high-value target.
We highly recommend updating the software as soon as possible.
Earlier this month, CISA warned that unknown attackers were exploiting a critical SolarWinds Web Help Desk bug, CVE-2025-40551, less than a week after the vendor disclosed and fixed the 9.8-rated flaw.
A couple of days after America’s lead cyber-defense agency sounded the alarm, Microsoft said it spotted a multi-stage intrusion where attackers exploited internet-exposed SolarWinds WHD instances to gain access to the victim organization, and then moved laterally to other high-value assets. ®