Solarwinds Serv-U: Update patches four critical security vulnerabilities

Solarwinds has released an updated version of its Serv-U file transfer software. In it, the developers are closing four security vulnerabilities classified as critical risks. IT managers should update their instances immediately.

In the release notes for Serv-U 15.5.4, programmers describe the fixed vulnerabilities. Due to “broken access controls,” attackers can create a system admin user and execute arbitrary code as “root” via domain admin or group admin rights (CVE-2025-40538, CVSS 9.1, Risk “critical”). Attackers can also exploit a vulnerability due to a so-called type confusion to execute native code from the network as “root” (CVE-2025-40539, CVE-2025-40540, both CVSS 9.1, Risk “critical”). With this type of vulnerability, actually passed data types do not match the expected ones, which can cause the content to overwrite memory areas, for example.

Four critical vulnerabilities in Serv-U

The fourth vulnerability is of the “Insecure Direct Object Reference” (IDOR) type. It also allows malicious actors to execute malicious code from the network with “root” privileges if successfully exploited (CVE-2025-40541, CVSS 9.1, Risk “critical”).

However, Solarwinds does not specify how attackers can specifically exploit the vulnerabilities or how admins can detect such attempts. The security vulnerabilities were apparently disclosed responsibly and have not yet been attacked on the network.

Nevertheless, due to the severity of the vulnerabilities, admins should update promptly. Cyber gangs often use vulnerabilities in data transfer software for unauthorized access and copying of data to extort companies.

Most recently, Solarwinds closed security vulnerabilities in Serv-U in mid-November.

(dmk)