SolarWinds Patches Critical Serv-U 15.5 Vulnerabilities Allowing Root Code Execution

SolarWinds-Patches-Critical-Serv-U-15-5-Vulnerabilities-Allowing-Root-Code-Executiondata

SolarWinds Patches Critical Security Vulnerabilities in Serv-U File Transfer Software

SolarWinds has issued patches for four critical security vulnerabilities in its Serv-U file transfer software, which could allow attackers to execute code remotely with root privileges.

Vulnerability Details

The vulnerabilities, all assigned a CVSS score of 9.1, are related to flaws in access control, type confusion, and insecure direct object references. These issues can be exploited by attackers to create system admin users, execute arbitrary native code, and gain elevated privileges.

The affected software is SolarWinds Serv-U version 15.5, and the patches are available in version 15.5.4. According to SolarWinds, the vulnerabilities require administrative privileges to be successfully exploited, and the risk is considered medium on Windows deployments, as the services typically run under less-privileged service accounts by default.

Identified Vulnerabilities

  • CVE-2025-40538: A broken access control vulnerability that allows attackers to create system admin users and execute arbitrary code with root privileges.
  • CVE-2025-40539: A type confusion vulnerability that enables attackers to execute arbitrary native code with root privileges.
  • CVE-2025-40540: Another type confusion vulnerability that allows attackers to execute arbitrary native code with root privileges.
  • CVE-2025-40541: An insecure direct object reference vulnerability that enables attackers to execute native code with root privileges.

Recommendation

Organizations should prioritize applying the patches to prevent potential attacks and ensure the security of their systems.


Blog Image

About Author

en_USEnglish