SolarWinds has released security patches addressing three critical remote code execution vulnerabilities in Serv-U that could allow attackers with administrative privileges to execute arbitrary code on affected systems.
The vulnerabilities disclosed in Serv-U version 15.5.3 pose significant risks to organizations that rely on the file transfer software for secure data exchange.
Multiple Pathways to Remote Code Execution
SolarWinds’ three critical vulnerabilities stem from logic errors, broken access controls, and path restriction bypasses within Serv-U’s core functionality.
Attackers exploiting these flaws require administrative access but can leverage them to gain unauthorized code-execution capabilities on the server.
| CVE ID | Vulnerability Title | Description | CVSS Score | Severity |
|---|---|---|---|---|
| CVE-2025-40547 | Logic Abuse – RCE | Logic error allowing malicious actors with admin privileges to execute code | 9.1 | Critical |
| CVE-2025-40548 | Broken Access Control – RCE | Missing validation process enabling code execution for privileged users | 9.1 | Critical |
| CVE-2025-40549 | Path Restriction Bypass | Path bypass vulnerability allowing arbitrary code execution on directories | 9.1 | Critical |
On Windows deployments, CVSS scores are rated as medium severity because services typically run under less-privileged accounts by default. In contrast, Linux systems remain at critical severity levels.
The vulnerabilities highlight a standard attack pattern: abuse of elevated privileges combined with insufficient validation mechanisms.
Organizations running older Serv-U versions face heightened risk, particularly as Serv-U 15.4.1 reached end-of-life on December 16, 2024, with 15.4.2 and 15.5 following suit in mid-2025 and 2026, respectively.
SolarWinds recommends immediate patching to Serv-U 15.5.3 or later. The updated release includes multiple security enhancements beyond CVE fixes, including support for ED25519 public key authentication.
Enhanced IP blocking functionality for file share guests, and account lockout mechanisms to prevent brute-force attacks.
Additional security improvements in version 15.5.3 include X-Forwarded-For protection against IP spoofing and mandatory minimum password length requirements.
HTTP Strict Transport Security (HSTS) enablement, file upload size limits, and upgraded Angular framework to version 19. These layered defenses provide defense-in-depth protection against exploitation attempts.
SolarWinds, unable to immediately upgrade, should prioritize restricting administrative access. Implementing network segmentation and deploying intrusion detection signatures for Serv-U traffic patterns.
Continuous monitoring of authentication logs for suspicious administrative activities remains critical during the transition period.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
