SolarWinds has launched updates to deal with 4 crucial security flaws in its Serv-U file switch software program that, if efficiently exploited, may end in distant code execution.
The vulnerabilities, all rated 9.1 on the CVSS scoring system, are listed beneath –
- CVE-2025-40538 – A damaged entry management vulnerability that permits an attacker to create a system admin person and execute arbitrary code as root through area admin or group admin privileges.
- CVE-2025-40539 – A kind confusion vulnerability that permits an attacker to execute arbitrary native code as root.
- CVE-2025-40540 – A kind confusion vulnerability that permits an attacker to execute arbitrary native code as root.
- CVE-2025-40541 – An insecure direct object reference (IDOR) vulnerability that permits an attacker to execute native code as root.
SolarWinds famous that the vulnerabilities require administrative privileges for profitable exploitation. It additionally stated that they carry a medium security danger on Home windows deployments because the providers “ceaselessly run below less-privileged service accounts by default.”
The 4 shortcomings have an effect on SolarWinds Serv-U model 15.5. They’ve been addressed in SolarWinds Serv-U model 15.5.4.
Whereas SolarWinds makes no point out of the security flaws being exploited within the wild, prior vulnerabilities within the software program (CVE-2021-35211, CVE-2021-35247, and CVE-2024-28995) have been exploited by malicious actors, together with by a China-based hacking group tracked as Storm-0322 (previously DEV-0322).
