SolarWinds has released an update that addresses four critical security flaws in its Serv-U file transfer software. Exploitation of these vulnerabilities could result in remote code execution.
All vulnerabilities rated 9.1 by the CVSS scoring system are listed below.
CVE-2025-40538 – Broken access control vulnerability allows an attacker to create a system administrator user and execute arbitrary code as root via domain administrator or group administrator privileges. CVE-2025-40539 – Type confusion vulnerability allows attackers to execute arbitrary native code as root. CVE-2025-40540 – Type confusion vulnerability allows attackers to execute arbitrary native code as root. CVE-2025-40541 – Insecure Direct Object Reference (IDOR) vulnerability allows attackers to execute native code as root.
SolarWinds noted that administrator privileges are required to exploit this vulnerability. It also said Windows deployments pose a moderate security risk because these services “often run under low-privileged service accounts by default.”
Four drawbacks affect SolarWinds Serv-U version 15.5. These are resolved in SolarWinds Serv-U version 15.5.4.
Although SolarWinds did not mention any security flaws being exploited in the wild, previous vulnerabilities in the software (CVE-2021-35211, CVE-2021-35247, and CVE-2024-28995) have been exploited by malicious actors, including the China-based hacking group tracked as Storm-0322 (formerly DEV-0322).
Source link
