Critical SolarWinds Serv-U Flaws Expose Servers to Root Access Vulnerability
SolarWinds Releases Security Patches for Serv-U File Transfer Software
SolarWinds has released security patches to address four critical vulnerabilities in its Serv-U file transfer software, which could allow attackers to gain root access to unpatched servers. Serv-U is a self-hosted Windows and Linux solution that enables secure file exchange via FTP, FTPS, SFTP, and HTTP/S.
Critical Vulnerability Details
The most severe vulnerability, tracked as CVE-2025-40538, is a broken access control flaw that allows attackers with high privileges to create a system admin user and execute arbitrary code as root.
The company has also patched two type confusion flaws and an Insecure Direct Object Reference (IDOR) vulnerability that can be exploited in a similar manner.
Risk to Organizations
While the vulnerabilities require attackers to already have high privileges on the targeted servers, this could still pose a significant risk to organizations that use Serv-U. Shodan estimates that over 12,000 Internet-exposed Serv-U servers are currently online, although Shadowserver puts the number at less than 1,200.
Previous Exploits and Attacks
File transfer software like Serv-U is often targeted by attackers due to its potential to provide access to sensitive corporate and customer data. In the past, SolarWinds Serv-U has been targeted by various threat actors, including China-based hackers tracked by Microsoft as DEV-0322. These hackers have deployed exploits for vulnerabilities like CVE-2021-35211 in zero-day attacks.
More recently, a SolarWinds Serv-U path-traversal vulnerability (CVE-2024-28995) was flagged by cybersecurity companies Rapid7 and GreyNoise as being actively exploited by threat actors using publicly available proof-of-concept exploits.
Recommendation
Organizations using Serv-U are advised to apply the security patches released by SolarWinds as soon as possible to prevent potential exploitation of these vulnerabilities.
About Author
English