An urgent security update has been released for the Serv-U file server software to fix multiple critical vulnerabilities that could allow attackers to fully compromise affected systems.
The latest release, Serv-U version 15.5.4, addresses four high-severity security flaws, each with a CVSS score of 9.1.
These vulnerabilities are especially dangerous because they enable remote code execution, granting attackers the highest level of administrative control over the targeted infrastructure.
Cybersecurity teams and system administrators are strongly urged to review the release notes and apply the updates immediately to prevent potential exploitation.
Serb-U Vulnerabilities Enable Root Access
The newly disclosed security flaws deeply affect the core functionality of the Serv-U application, enabling arbitrary native code execution with root privileges.
Among the most severe issues is a broken access control vulnerability that permits attackers with domain or group admin privileges to create a system admin user.
| CVE | CVSS | Affected Component | Affected Versions | Impact |
|---|---|---|---|---|
| CVE-2025-40538 | 9.1 (Critical) | Serv-U Core (Access Control) | Serv-U (unpatched versions) | Admin creation and root code execution. |
| CVE-2025-40539 | 9.1 (Critical) | Serv-U Web Interface | Serv-U (unpatched versions) | Type confusion enables root code execution. |
| CVE-2025-40540 | 9.1 (Critical) | Serv-U Web Interface | Serv-U (unpatched versions) | Type confusion enables root code execution. |
| CVE-2025-40541 | 9.1 (Critical) | Serv-U API / Object Handling | Serv-U (unpatched versions) | IDOR flaw allows root code execution. |
Once this unauthorized system-admin account is established, the attacker can execute malicious commands with root privileges.
Additionally, the software suffers from two distinct type confusion vulnerabilities. These memory corruption flaws provide a direct pathway for an attacker to run unauthorized native code as root.
Furthermore, the update addresses an Insecure Direct Object Reference vulnerability.
This specific flaw allows attackers to bypass authorization mechanisms by directly accessing internal objects, which, in turn, results in remote code execution with root privileges.
Because these vulnerabilities provide complete system control, threat actors could use them to deploy ransomware, steal sensitive enterprise data, or establish persistent backdoors within corporate networks.
SolarWinds has credited security researchers for responsibly disclosing these issues and working alongside their engineering teams to develop effective patches.
Product Enhancements and Update Recommendations
Alongside these critical security patches, Serv-U version 15.5.4 introduces several functional improvements and platform support updates.
The application now officially supports Ubuntu 24.04 LTS, expanding its deployment flexibility in enterprise environments.
SolarWinds has also reintroduced the download history feature in File Share, aligning it with the legacy web client capabilities. Additionally, the file share interface now includes a precise time display next to the last modified date.
To further harden the application against modern web threats, SolarWinds implemented strict content security policy configurations.
The legacy login page now utilizes specific directives to prevent the application from being maliciously embedded in other websites, neutralizing potential clickjacking attacks.
Administrators using previous versions of Serv-U should consult the end-of-life schedule, as earlier versions, such as 15.5.1, reached the end of engineering support by February 18, 2026.
Organizations must download the latest installation files from the customer portal to ensure their infrastructure remains secure against these critical remote code execution threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
