SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution

SolarWinds has updated its Serv-U file transfer software to fix four serious security holes that could lead to remote code execution if they are successfully exploited This article explores software vulnerabilities cve. . CVE-2025-40538 is a broken access control vulnerability that enables an attacker to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges.

The vulnerabilities are all rated 9.1 on the CVSS scoring system. A type confusion vulnerability known as CVE-2025-40539 enables an attacker to run any native code as root. A type confusion vulnerability known as CVE-2025-40540 enables an attacker to run any native code as root. An attacker can run native code as root thanks to the insecure direct object reference (IDOR) vulnerability known as CVE-2025-40541.

According to SolarWinds, in order to successfully exploit the vulnerabilities, administrative privileges are needed. Additionally, it stated that because the services "frequently run under less-privileged service accounts by default," they pose a medium security risk for Windows deployments. SolarWinds Serv-U version 15.5 is affected by the four issues.

SolarWinds Serv-U version 15.5 has addressed them.4. Although SolarWinds doesn't mention the security flaws being exploited in the wild, malicious actors, including a China-based hacking group known as Storm-0322 (formerly DEV-0322), have taken advantage of previous software vulnerabilities (CVE-2021-35211, CVE-2021-35247, and CVE-2024-28995).