SolarWinds has issued urgent security updates to resolve four critical vulnerabilities in its Serv-U file transfer platform. If exploited, these flaws could allow attackers to execute arbitrary code with root level privileges, creating severe security exposure for affected systems.
All four vulnerabilities carry a CVSS score of 9.1, placing them in the critical severity category.
Breakdown of the Critical Vulnerabilities
The newly patched issues are identified as follows:
- CVE-2025-40538
A broken access control weakness that could allow an attacker to create a system administrator account and execute arbitrary code as root by abusing domain admin or group admin privileges. - CVE-2025-40539
A type confusion vulnerability that may enable execution of arbitrary native code with root permissions. - CVE-2025-40540
Another type confusion issue that could similarly result in root level native code execution. - CVE-2025-40541
An insecure direct object reference, IDOR, vulnerability allowing execution of native code as root.
These flaws impact SolarWinds Serv-U version 15.5 and have been addressed in version 15.5.4.
Exploitation Requirements and Risk Assessment
SolarWinds clarified that administrative privileges are required to successfully exploit these vulnerabilities. This requirement somewhat limits exposure, but systems with compromised admin credentials remain at high risk.
The company also noted that Windows deployments face a comparatively moderate security risk because Serv-U services often operate under lower privileged service accounts by default. Even so, environments where elevated privileges are granted could experience severe impact.
Historical Exploitation Concerns
Although SolarWinds has not confirmed active exploitation of these newly patched flaws, the Serv-U product line has previously been targeted.
Past vulnerabilities, including CVE-2021-35211, CVE-2021-35247, and CVE-2024-28995, were abused in real world attacks. Some of those campaigns were attributed to a China linked threat actor known as Storm-0322, previously tracked under a different designation.
Given this history, organizations are advised to treat the current patches as a high priority update.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
