SolarWinds has fixed four critical vulnerabilities in its popular Serv-U file transfer solution, which is used by businesses and organizations of all sizes.
If exploited, the flaws may allow attackers to create a system admin user and/or execute code as a privileged account.
The SolarWinds Serv-U vulnerabilities
SolarWinds Serv-U runs on Windows or Linux and lets users securely transfer files between computers or systems using standard protocols like FTP, FTPS, SFTP, HTTP, and HTTPS. It is mainly used by organizations and IT teams that need controlled, secure ways to exchange files internally or externally.
SolarWinds Serv-U comes in two “flavors”: the (more basic) FTP Server edition and the Managed File Transfer (MFT) edition (with enterprise features).
The four fixed vulnerabilities, all rated “critical”, are:
- CVE-2025-40538: Broken access control flaw that “gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges”.
- CVE-2025-40539 and CVE-2025-40540: Type confusion bugs that allow attackers to execute arbitrary native code as privileged account (root).
- CVE-2025-40541: An Insecure Direct Object Reference bug that could lead to arbitrary code execution as root.
These vulnerabilities can be exploited remotely, in low complexity attacks, with no user interaction required. But in all four cases, the attacker must already have high-level access to the setup.
As Orca researchers noted, “in real-world scenarios where administrative credentials are compromised — through phishing, password reuse, or credential spraying — they significantly increase the impact of that compromise.”
SolarWinds says that all four vulnerabilities are less critical on Windows deployments, “because services frequently run under less-privileged service accounts by default.”
Upgrade ASAP!
There is currently no indication of in-the-wild exploitation of these flaws but, like many other file-transfer server solutions, Serv-U is an attactive target for attackers and vulnerabilities in it – including zero-days – have been exploited in the past.
Organizations that use Serv-U are urged to upgrade to v15.5.4 as soon as possible.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
