SolarWinds Serv-U users urged to patch four critical 'make-me-root' vulnerabilities

SolarWinds has issued an urgent security update for its Serv-U Managed File Transfer and Serv-U Secure FTP products, addressing four critical vulnerabilities that could allow attackers to execute code with root privileges. The flaws, discovered in the widely-used file transfer software, have been assigned a maximum CVSS severity rating of 9.1, indicating their potential for significant impact.

The Four Critical Flaws

The vulnerabilities include:

• CVE-2025-40538: A broken access control issue that allows creation of system administrator accounts and execution of arbitrary code with privileged access
• CVE-2025-40540 and CVE-2025-40539: Two type confusion bugs that could lead to remote code execution
• CVE-2025-40541: An Insecure Direct Object Reference (IDOR) vulnerability that could also result in RCE

According to SolarWinds' security advisory, the most severe of these flaws, CVE-2025-40538, "gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges."

Patch Now Available

The vulnerabilities are patched in Serv-U version 15.5.4, which SolarWinds released alongside the security advisory. The company stated it has "not observed exploitation" of these flaws but emphasized its commitment to monitoring the situation and working with customers to ensure rapid resolution.

Administrative Privileges Required

While the vulnerabilities are rated critical, SolarWinds notes that all four require administrative privileges to exploit. This requirement provides some mitigation, as attackers would need to already have elevated access to the system before they could leverage these flaws to gain root-level control.

Historical Context of SolarWinds Attacks

SolarWinds products have been a frequent target for attackers, particularly following the high-profile supply chain attack in 2020 that compromised numerous government agencies and private companies. The company's products remain attractive targets due to their widespread deployment in enterprise environments.

CISA has previously added three earlier Serv-U vulnerabilities to its Known Exploited Vulnerabilities catalog, including one that was actively used in ransomware campaigns. The current vulnerabilities have not yet appeared on CISA's KEV list, but the rapid addition of previous SolarWinds flaws suggests they could be added if exploitation is detected.

File Transfer Software as High-Value Targets

Security experts note that file transfer products like Serv-U, MOVEit, and GoAnywhere are particularly attractive to attackers because they handle large volumes of sensitive data including financial records, intellectual property, and other confidential information. These systems often have broad network access and elevated privileges, making them ideal targets for lateral movement within compromised networks.

Earlier this month, CISA warned that unknown attackers were actively exploiting another critical SolarWinds vulnerability, CVE-2025-40551, in the Web Help Desk product. Microsoft subsequently observed a multi-stage intrusion campaign where attackers exploited internet-exposed SolarWinds WHD instances to gain initial access before moving laterally to other high-value assets within victim organizations.

Recommendations

Organizations using SolarWinds Serv-U should:

1. Immediately update to version 15.5.4
2. Review administrative access controls
3. Monitor for suspicious activity
4. Consider network segmentation for file transfer systems
5. Review and update incident response procedures

The rapid exploitation of the recent Web Help Desk vulnerability demonstrates how quickly attackers can weaponize newly disclosed flaws, particularly in widely-deployed enterprise software. Given the critical nature of these vulnerabilities and the history of SolarWinds products being targeted, prompt patching is strongly advised.

Featured image credit: Shutterstock/RegMedia