SolarWinds has announced the release of updates to rectify four significant security vulnerabilities in its Serv-U file transfer software. These flaws, if exploited, could lead to remote code execution, posing a substantial threat to affected systems. The vulnerabilities in question have been assigned a CVSS score of 9.1, indicating their severity and potential impact on system security.
Details of the Vulnerabilities
The identified vulnerabilities include a broken access control issue, labeled CVE-2025-40538, which permits attackers to create a system admin user and execute arbitrary code with root privileges through domain or group admin access. Additionally, two type confusion vulnerabilities, CVE-2025-40539 and CVE-2025-40540, have been identified, both capable of allowing execution of native code as root. Lastly, an insecure direct object reference vulnerability, CVE-2025-40541, also enables the execution of native code with root privileges.
Impact and Mitigation
SolarWinds has clarified that exploiting these vulnerabilities necessitates administrative privileges, and they present a medium security risk for Windows deployments. This is due to the fact that the services typically operate under less-privileged accounts by default. The vulnerabilities affect Serv-U version 15.5 and have been resolved with the release of version 15.5.4.
Previous Exploitations and Security Measures
While there is no current evidence suggesting these specific flaws have been actively exploited, historical vulnerabilities within the software have been targeted by malicious entities. Notably, past issues like CVE-2021-35211, CVE-2021-35247, and CVE-2024-28995 were exploited by hackers, including a group associated with China, known as Storm-0322. This underscores the importance of promptly applying the latest updates to safeguard systems against potential threats.
In conclusion, the resolution of these vulnerabilities is crucial for maintaining system integrity and protecting against unauthorized code execution. Users of SolarWinds Serv-U are strongly encouraged to upgrade to the latest version to ensure their systems remain secure against these critical threats.
