SolarWinds has released a critical security update for its Serv-U file transfer software, patching four vulnerabilities that could allow attackers to execute arbitrary code with root-level privileges on affected servers.
All four flaws carry a CVSS score of 9.1, placing them squarely in the Critical severity tier, and were resolved in Serv-U version 15.5.4 released on February 24, 2026.
Serv-U is a widely deployed file transfer server solution that enables organizations to securely exchange files over FTP, FTPS, SFTP, and HTTP/S protocols, used by businesses to manage data transfers between internal teams and external partners.
Its broad deployment in enterprise environments makes it a high-value target for threat actors seeking access to sensitive organizational data.
Vulnerability Breakdown
The most severe of the four flaws, CVE-2025-40538, is a broken access control vulnerability that allows an attacker operating with domain admin or group admin privileges to create a system administrator account and then execute arbitrary code as root.
This authorization bypass in Serv-U’s management logic provides an immediate escalation path to full administrative control over the affected system.
The remaining three vulnerabilities compound the threat significantly. CVE-2025-40539 and CVE-2025-40540 are both type confusion vulnerabilities in Serv-U’s native code handling, each allowing an attacker to execute arbitrary native code as root through memory-safety failures.
CVE-2025-40541 is an Insecure Direct Object Reference (IDOR) flaw that similarly enables root-level native code execution when exploited.
SolarWinds noted that exploitation of all four requires administrative privileges, and on Windows deployments specifically, the risk is rated medium since Serv-U services frequently run under less-privileged service accounts by default.
| CVE ID | Vulnerability Type | Description | CVSS Score | Severity |
|---|---|---|---|---|
| CVE-2025-40538 | Broken Access Control RCE | Allows attacker to create a system admin user and execute arbitrary code as root via domain/group admin privileges | 9.1 | Critical |
| CVE-2025-40539 | Type Confusion RCE | Allows attacker to execute arbitrary native code as root | 9.1 | Critical |
| CVE-2025-40540 | Type Confusion RCE | Allows attacker to execute arbitrary native code as root | 9.1 | Critical |
| CVE-2025-40541 | IDOR RCE | Allows attacker to execute native code as root | 9.1 | Critical |
While SolarWinds has not confirmed active exploitation of these four vulnerabilities, the software’s exploitation history demands immediate attention.
Prior Serv-U flaws including CVE-2021-35211 and CVE-2024-28995 were actively exploited by threat actors, notably the China-based group tracked as Storm-0322 (formerly DEV-0322), which deployed zero-day exploits targeting U.S. defense and software companies.
In June 2024, CVE-2024-28995, a path traversal flaw, was quickly weaponized using publicly available proof-of-concept exploits within days of disclosure.
SolarWinds has addressed all four vulnerabilities in Serv-U 15.5.4. Organizations running any version of Serv-U 15.5 or earlier are urged to upgrade immediately.
Versions 15.5.1 and below have already reached End-of-Engineering as of February 18, 2026, meaning no further security patches will be issued for those releases.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
