Four critical vulnerabilities in SolarWinds Serv-U, including a broken access control flaw (CVE-2025-40538), two type confusion bugs, and an Insecure Direct Object Reference issue, allow authenticated attackers with administrative privileges to execute arbitrary code with root or SYSTEM permissions. All four flaws have a CVSS score of 9.1. According to the authoritative NVD data, SolarWinds Serv-U versions prior to 15.5.4 are affected, and the fix is to upgrade to version 15.5.4. While exploitation requires existing high-privilege access, the historical targeting of Serv-U and file transfer software makes prompt patching essential.
Patches Patch these 4 critical, make-me-root SolarWinds bugs ASAP SolarWinds + file transfer software = what attackers' dreams are made of Jessica Lyons Tue 24 Feb 2026 // 19:55 UTC If you run SolarWinds’ Serv-U, you should patch promptly. Four critical vulnerabilities in the file transfer software can allow attackers to execute code as root. The four flaws, all of which earned a 9.1 CVSS rating, include a broken access control vulnerability ( CVE-2025-40538 ), two type confusion bugs ( CVE-2025-40540 and CVE-2025-40539 ), and an Insecure Direct Object Reference (IDOR) issue ( CVE-2025-40541 ), all of which can lead to remote code execution (RCE). The most serious of the four, CVE-2025-40538, "gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges," according to the vendor's security advisory. Updating to the latest version, Serv-U 15.5.4 , patches all four security holes. In a statement to The Register , SolarWinds said, "We are aware of the reported issues and successfully addressed them as part of the Serv-U 15.5.4 release. We have not observed exploitation. We remain committed to monitoring the situation, working closely with customers and partners to ensure issues are resolved quickly. SolarWinds continues to prioritize the swift resolution of CVEs to ensure the security and integrity of our software." The good news is that all four require administrative privileges to abuse, and none of the new CVEs have appeared on the US Cybersecurity and Infrastructure Security Agency's (CISA's) catalog of Known Exploited Vulnerabilities - yet. Critical SolarWinds Web Help Desk bug under attack Someone's attacking SolarWinds WHD to steal high‑privilege credentials - but we don't know who or how SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere Third time's the charm? SolarWinds (again) patches critical Web Help Desk RCE However, SolarWinds' products in general are a long-time favorite target for attackers , and CISA has added three earlier Serv-U bugs to its KEV , including one known to be used in ransomware infections . Plus, criminals frequently abuse file sharing products (such as MOVEit , and GoAnywhere ) because enterprises use them to store and transfer large volumes of highly sensitive files, such as financial records, and intellectual property, and this makes them a high-value target. We highly recommend updating the software as soon as possible. Earlier this month, CISA warned that unknown attackers were exploiting a critical SolarWinds Web Help Desk bug , CVE-2025-40551 , less than a week after the vendor disclosed and fixed the 9.8-rated flaw. A couple of days after America's lead cyber-defense agency sounded the alarm, Microsoft said it spotted a multi-stage intrusion where attackers exploited internet-exposed SolarWinds WHD instances to gain access to the victim organization, and then moved laterally to other high-value assets. ® Share More about Patch Security Solarwinds More like these × More about Patch Security Solarwinds Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust More about Share POST A COMMENT More about Patch Security Solarwinds More like these × More about Patch Security Solarwinds Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust TIP US OFF Send us news