SolarWinds has released an urgent security update for its Serv-U file transfer software, patching three critical vulnerabilities that could enable attackers with administrative access to execute remote code on affected systems.
The flaws, all rated 9.1 on the CVSS severity scale, were addressed in Serv-U version 15.5.3, released on November 18, 2025.
Three Critical Remote Code Execution Vulnerabilities Discovered
The security update addresses three distinct but equally dangerous vulnerabilities. Each flaw requires administrative privileges to exploit, but once compromised, they provide attackers with powerful capabilities to execute arbitrary code on vulnerable servers.
| CVE-ID | Vulnerability Type | CVSS Score | Exploit Prerequisites |
|---|---|---|---|
| CVE-2025-40547 | Logic Abuse – Remote Code Execution | 9.1 Critical | Administrative privileges required |
| CVE-2025-40548 | Broken Access Control – Remote Code Execution | 9.1 Critical | Administrative privileges required |
| CVE-2025-40549 | Path Restriction Bypass | 9.1 Critical | Administrative privileges required |
The first vulnerability, tracked as CVE-2025-40547, involves a logic error that allows malicious actors with admin privileges to execute code remotely.
The second flaw, CVE-2025-40548, stems from a broken access control mechanism where missing validation processes create opportunities for code execution.
The third vulnerability, CVE-2025-40549, enables path-restriction bypass attacks, allowing attackers to execute code on specific directories.
Security researcher Maurice Moss discovered and responsibly disclosed these vulnerabilities to SolarWinds, allowing the company time to develop and release patches before public disclosure.
SolarWinds thanked Moss for working collaboratively with their security, product, and engineering teams to resolve the issues.
While these vulnerabilities require administrative credentials to exploit, security experts warn that their severity should not be underestimated.
Compromised administrator accounts remain a common attack vector in enterprise environments.
Once attackers gain admin access through phishing, credential theft, or other methods, these vulnerabilities provide direct pathways to system compromise.
On Windows deployments, SolarWinds notes that the risk is reduced because services typically run under less-privileged service accounts by default.
However, organizations should not rely solely on this configuration as a protective measure.
Beyond patching the critical vulnerabilities, Serv-U version 15.5.3 introduces several essential security enhancements.
The update implements account lockout mechanisms to prevent brute-force attacks and limits concurrent connections from a single IP address to mitigate server overload.
Additional improvements include protection against IP spoofing through X-Forwarded-For validation, minimum password length requirements, file upload size limits to prevent resource exhaustion, and HTTP Strict Transport Security enablement.
The IP block functionality has been extended to File share guest authentication, providing better protection against password attacks.
Organizations running SolarWinds Serv-U should immediately upgrade to version 15.5.3 or later.
The update is available on the SolarWinds website and in the Customer Portal. Administrators should also review access logs for suspicious activity and ensure admin accounts follow least-privilege principles.
SolarWinds has announced end-of-life schedules for older versions, with version 15.5 reaching end-of-engineering on October 8, 2025, and end-of-life on October 8, 2026.
Users on older versions face increasing security risks and should prioritize migration to supported releases.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.