top of page
Search

SolarWinds Serv-U Critical Vulnerabilities Patched, Enabling Root Access

  • Feb 25
  • 2 min read

Key Findings


  • SolarWinds has patched four critical vulnerabilities in its Serv-U file transfer server software

  • The flaws could allow remote code execution and give attackers full root access on unpatched systems

  • The vulnerabilities include:

  • CVE-2025-40538: Broken access control flaw allowing creation of admin user and arbitrary code execution as root

  • CVE-2025-40539 and CVE-2025-40540: Type confusion vulnerabilities enabling arbitrary native code execution as root

  • CVE-2025-40541: Insecure Direct Object Reference (IDOR) vulnerability allowing root-level code execution


Background


Serv-U is a popular file transfer server solution used by organizations to securely manage and exchange large files over networks. The software supports protocols like FTP, FTPS, SFTP, and HTTP/S.


The critical vulnerabilities addressed by SolarWinds could allow remote attackers to potentially compromise the entire server infrastructure if successfully exploited. The flaws are all rated 9.1 out of 10 on the CVSS severity scale.


Technical Details


  • CVE-2025-40538 is a broken access control flaw that could let an attacker with high privileges create a system admin user and execute arbitrary code as root.

  • CVE-2025-40539 and CVE-2025-40540 are type confusion vulnerabilities enabling arbitrary native code execution as root.

  • CVE-2025-40541 is an Insecure Direct Object Reference (IDOR) vulnerability also allowing root-level code execution.


SolarWinds noted that the vulnerabilities require administrative access for successful exploitation. However, the company said the Serv-U services often run under less-privileged accounts by default on Windows deployments, posing a medium security risk.


Potential Impact


The critical flaws in SolarWinds Serv-U could allow remote, unauthenticated attackers to gain full control over vulnerable server infrastructure if left unpatched. This could enable a wide range of malicious activities, from data theft and system compromise to further network intrusions.


Mitigations


SolarWinds has released version 15.5.4 of Serv-U to address the four critical vulnerabilities. Organizations using Serv-U are advised to apply the updates as soon as possible to mitigate the risk of exploitation.


Sources


  • https://securityaffairs.com/188454/hacking/solarwinds-patches-four-critical-serv-u-flaws-enabling-root-access.html

  • https://thehackernews.com/2026/02/solarwinds-patches-4-critical-serv-u.html

  • https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/

  • https://windowsforum.com/threads/solarwinds-serv-u-15-5-4-patch-fixes-four-critical-rce-flaws.403177/

  • https://www.reddit.com/r/pwnhub/comments/1rdlwaj/critical_flaws_in_solarwinds_servu_allow_root/

  • https://www.linkedin.com/posts/dlross_solarwinds-patches-four-critical-serv-u-flaws-activity-7432224064632696832-XIVY

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page