SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution
Source: The Hacker News
SolarWinds has released updates to address four critical security flaws in its Serv‑U file transfer software that could result in remote code execution if successfully exploited.
Vulnerabilities (CVSS 9.1)
| CVE | Description |
|---|---|
| CVE-2025-40538 | Broken access control – allows an attacker with domain admin or group admin privileges to create a system admin user and execute arbitrary code as root. |
| CVE-2025-40539 | Type confusion – enables execution of arbitrary native code as root. |
| CVE-2025-40540 | Type confusion – enables execution of arbitrary native code as root. |
| CVE-2025-40541 | Insecure Direct Object Reference (IDOR) – allows execution of native code as root. |
SolarWinds notes that successful exploitation requires administrative privileges. The company also classifies the risk as medium for typical Windows deployments because the Serv‑U services usually run under less‑privileged service accounts by default.
Patch Information
- Affected version: Serv‑U 15.5
- Fixed in: Serv‑U 15.5.4
The update addresses all four vulnerabilities listed above.
Historical Context
Previous Serv‑U flaws have been observed in the wild:
These were exploited by malicious actors, including a China‑based group tracked as Storm‑0322 (formerly DEV‑0322). While SolarWinds has not reported active exploitation of the newly disclosed flaws, the history underscores the importance of applying the patch promptly.