SolarWinds Patches Four Critical Root-Level Flaws in Serv-U File Transfer Software

SolarWinds released security updates for Serv-U version to patch four critical remote code execution (RCE) vulnerabilities. 

These flaws affect both Windows and Linux versions of the self-hosted file transfer software, which organizations use for Managed File Transfer (MFT) and FTP services. 

Vulnerabilities summary:

• CVE-2025-40538 (CVSS score 9.1) - A broken access control vulnerability that allows attackers with domain or group admin privileges to create a new system administrator account. By bypassing existing permission checks, an attacker can run arbitrary code with root-level authority.
• CVE-2025-40539 (CVSS score 9.1) - A type confusion vulnerability where the application incorrectly handles data types during processing. This flaw allows an authenticated attacker to trigger memory corruption and run native code as the root user.
• CVE-2025-40540 (CVSS score 9.1) - Another type confusion vulnerability similar to CVE-2025-40539 that affects the way Serv-U manages internal objects. Exploiting this allows for arbitrary code execution with the highest system privileges.
• CVE-2025-40541 (CVSS score 9.1) - An Insecure Direct Object Reference (IDOR) vulnerability that occurs when the system fails to validate access to specific internal resources. Attackers can manipulate object identifiers to run native code as root.

Although exploitation requires existing high-level credentials, attackers frequently chain such vulnerabilities after gaining an initial foothold via stolen credentials or other exploits. Groups like the Clop ransomware gang and state-sponsored actors like DEV-0322 have targeted Serv-U to steal data and move laterally through corporate networks.

The vulnerabilities affect all versions of SolarWinds Serv-U prior to the 15.5.4. This includes both the Managed File Transfer (MFT) and standard FTP server editions. 

SolarWinds recommends that all administrators immediately upgrade to Serv-U version 15.5.4.