SolarWinds has issued critical security patches for four vulnerabilities within its Serv-U file transfer software that could allow for remote code execution. These flaws affect version 15.5 and require immediate updates to version 15.5.4 to prevent potential unauthorized root access by attackers.
SolarWinds recently disclosed and patched four significant security vulnerabilities in its Serv-U file transfer software, all of which received a high severity rating of 9.1 on the CVSS scale. These flaws, identified as CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, and CVE-2025-40541, present a serious risk of remote code execution if left unaddressed. The company has urged users to update to version 15.5.4 to mitigate these risks effectively across their environments.
The vulnerabilities involve various technical failures, including broken access control, type confusion, and insecure direct object references. Specifically, CVE-2025-40538 could allow an attacker to bypass existing security measures to create a system administrator account, while the other three flaws involve memory or object handling errors that enable the execution of native code. In all instances, a successful exploit could grant an attacker root-level privileges over the impacted system.
Despite the high severity rating, SolarWinds pointed out that successful exploitation generally requires the attacker to already possess administrative privileges. Furthermore, the risk is considered medium for many Windows-based deployments because the Serv-U services are often configured to run under accounts with limited permissions by default. This layered security approach may prevent an attacker from gaining full control of the underlying operating system even if the software itself is compromised.
While there are currently no reports of these specific vulnerabilities being used in active cyberattacks, the history of Serv-U suggests that threat actors are often quick to target the platform. Previous security gaps in the software have been leveraged by sophisticated groups, including the China-linked collective known as Storm-0322. Because of this track record, security professionals view these new disclosures as a high priority for remediation before malicious actors can develop functional exploits.
Administrators running Serv-U version 15.5 are encouraged to transition to the 15.5.4 release as soon as possible to close these security gaps. By applying these updates, organizations can ensure that their file transfer infrastructure remains protected against the possibility of unauthorized administrative access and arbitrary code execution. Maintaining up-to-date software remains the primary defense against the evolving tactics of advanced persistent threat groups.
Source: SolarWinds Fixes Four Critical Serv-U 15.5 Flaws Enabling Root Code Execution