SolarWinds has released updates to patch four high-severity flaws in its Serv-U file transfer product. If attackers could exploit these issues, they might run arbitrary code remotely and potentially take control of the affected system.
The four vulnerabilities are all rated 9.1 on the CVSS scale and affect SolarWinds Serv-U version 15.5. The specific issues are:
- CVE-2025-40538: An inadequate access-control flaw that could let an attacker create a system administrator account and execute code with root privileges through domain or group admin rights.
- CVE-2025-40539: A type-confusion vulnerability enabling an attacker to run arbitrary native code as root.
- CVE-2025-40540: Another type-confusion flaw that allows arbitrary native code execution at the root level.
- CVE-2025-40541: An insecure direct object reference (IDOR) weakness permitting native code execution with root privileges.
SolarWinds notes that exploitation would require administrator-level access to the system. They also point out that, on Windows installations, these services often run under lower-privilege accounts by default, which moderates the overall risk.
The fixes are included in Serv-U version 15.5.4, addressing the four reported flaws in version 15.5.
Although SolarWinds has not said these weaknesses have been exploited in real-world attacks, previous flaws in Serv-U have seen active exploitation. Past incidents include CVE-2021-35211, CVE-2021-35247, and CVE-2024-28995, with attackers linked to activity from groups such as Storm-0322 (formerly DEV-0322).
If you found this update informative, consider following The Hacker News on Google News, Twitter, and LinkedIn for ongoing coverage and analysis.
