On February 24, 2026, SolarWinds released Serv-U version 15.5.4, which fixes four serious flaws that could give hackers root access to compromised systems This article explores vulnerabilities cve 2025. . Organizations utilizing the file transfer server are at serious risk due to these defects, which are all 9.1 on the CVSS scale and result from problems like broken access control and type confusion. Given SolarWinds' history of high-profile supply chain attacks, the update strongly recommends patching right away.

Detailed Critical Vulnerabilities CVE-2025-40538, a broken access control flaw that allows attackers with domain admin or group admin privileges to create a system admin user and run arbitrary code as root, is the most concerning. Similar to this, type confusion errors in CVE-2025-400539 and CVE-2025-40540 allow native code execution at the root level without the need for extra privileges.

CVE-2025-40541 circumvents checks to run code as root by taking advantage of an insecure direct object reference (IDOR). Although attackers require authenticated access, they could chain these for complete compromise, which could result in persistent backdoors, ransomware deployment, or data exfiltration. Certain vectors require domain or group admin rights for exploitation, but type confusion and IDOR lower the bar.

Although there are currently no publicly available exploits, the root-level impact makes these ideal targets for ransomware or advanced persistent threats (APTs). Vulnerability Title Description Severity CVE ID CVE-2025-40538 is credited. Broken Access Control for SolarWinds Serv-U RCE Broken Access Control permits arbitrary root code execution through domain/group admin privileges and the creation of system admin users. 9.1 Critical N/A CVE-2025-40540 Random native code execution as root is made possible by SolarWinds Serv-U Type Confusion RCE Type confusion.

9.1 Critical N/A CVE-2025-40539 SolarWinds Serv-U Type Confusion RCE Type confusion allows for the execution of arbitrary native code as root. 9.1 Critical N/A CVE-2025-40541 SolarWinds Serv-U IDOR RCE IDOR permits root execution of native code. 9.1 Critical N/A Serv-U 15.5.4 addresses these CVEs in addition to enhancements like support for Ubuntu 24.04 LTS, time display for last modified dates, and File Share download history.

End-of-life risks are present for organizations using versions 15.5.1 or lower. 15.5.1 Support expires on November 18, 2026. Use programs like Nessus or Qualys to scan environments, remove excessive admin privileges, and keep an eye on logs for questionable code execution or admin creations. SolarWinds attributes the discovery to internal teams; no outside researchers were mentioned.

Get More Instant Updates with X, LinkedIn, and LinkedIn. Make ZeroOwl a Google Preferred Source.