SolarWinds patches critical vulnerabilities in Serv-U
Take action: If you're running SolarWinds Serv-U file transfer solution, plan an update cycle to version 15.5.3. The flaws are not urgent, because all three require admin access. But don't ignore them, since any user can be hacked through some other vector like phishing, malware or another vulnerable system.
Learn More
SolarWinds has released security updates to patch multiple critical severity vulnerabilities in its Serv-U file transfer solution. All three flaws require administrative privileges to exploit, but if successfully abused, could allow malicious actors to execute arbitrary code on vulnerable systems.
Vulnerabilities summary:
- CVE-2025-40547 (CVSS score 9.1) - A logic error vulnerability in Serv-U that, when abused, could give a malicious actor with admin privileges the ability to execute code.
- CVE-2025-40548 (CVSS score 9.1) - A missing validation process exists in Serv-U that could allow a malicious actor with admin privileges to execute arbitrary code through broken access control mechanisms.
- CVE-2025-40549 (CVSS score 9.1) - A path restriction bypass vulnerability that could give a malicious actor with admin privileges the ability to execute code on a directory by circumventing path-based security controls.
The affected product is SolarWinds Serv-U version 15.5.2.2.102. SolarWinds notes that on Windows deployments the risk is scored as medium severity because Windows services frequently run under less-privileged service accounts by default, which limits the potential impact.
On Unix-based systems, the critical severity rating applies fully, as services may run with higher privileges.
SolarWinds has released Serv-U version 15.5.3 to address these vulnerabilities. Organizations running affected versions should prioritize applying the security update.
