SolarWinds addressed four critical Serv-U vulnerabilities that could let attackers gain root access to unpatched servers. SolarWinds released updates fixing four critical Serv-U vulnerabilities that allow remote code execution, potentially giving attackers full root access on unpatched servers. Serv-U is a file transfer server software that allows organizations to securely transfer files over networks using […] SolarWinds addressed four critical Serv-U vulnerabilities that could let attackers gain root access to unpatched servers. SolarWinds released updates fixing four critical Serv-U vulnerabilities that allow remote code execution, potentially giving attackers full root access on unpatched servers. Serv-U is a file transfer server software that allows organizations to securely transfer files over networks using protocols like FTP, FTPS, SFTP, and HTTP/S. It’s commonly used by businesses to manage and exchange large files safely, including between internal teams and external partners. One of the flaws fixed by the company is a broken access control issue, tracked as CVE-2025-40538 (CVSS score of 9.1), that could be exploited by attackers with high privileges to gain root or admin access on vulnerable systems. “A broken access control vulnerability exists in Serv-U which, when exploited, gives an attacker the ability to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges.” reads the advisory. The second flaw is CVE-2025-40540 (CVSS score of 9.1), a type confusion vulnerability in Serv-U that, if exploited, allows an attacker to execute arbitrary native code as root, giving them full control of the affected server. The third flaw is CVE-2025-40539 (CVSS score of 9.1), another type confusion vulnerability. Similar to the previous one, it enables an attacker to run arbitrary native code with root privileges, potentially compromising the entire system. The last flaw is CVE-2025-40541 (CVSS score of 9.1), an Insecure Direct Object Reference (IDOR) vulnerability in Serv-U. Exploiting this flaw allows an attacker to execute native code as root, risking complete server compromise on unpatched systems. In November 2025, SolarWinds addressed three other critical vulnerabilities (CVE-2025-40549, CVE-2025-40548, CVE-2025-40547) in its Serv-U file transfer solution that could allow remote code execution. In July 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability to its Known Exploited Vulnerabilities (KEV) catalog: Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, Serv-U)
Published: 2026-02-24T20:07:24