SolarWinds Serv-U Vulnerabilities Allow Root Remote Code Execution: Patch Now

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

SolarWinds fixed four critical Serv-U vulnerabilities that let attackers gain root access remotely. All carry CVSS 9.1 scores. They hit access controls, web interfaces, and APIs. Update to version 15.5.4 immediately. SolarWinds release notes state: “These patches address CVE-2025-40538 through CVE-2025-40541, preventing unauthorized admin creation and RCE.” 

Serv-U manages secure file transfers in enterprises. Flaws allow domain admins to create system admins, then run code as root. Type confusion bugs corrupt memory for direct execution. An IDOR issue bypasses checks on objects.

SolarWinds credits researchers for disclosure. No known exploits as of February 26, 2026. Check NVD for updates. Older versions like 15.5.1 hit end-of-engineering support on February 18, 2026.

Attackers could deploy ransomware or backdoors. Impacts include data theft from networks. File servers often hold sensitive info, making quick patches vital.

Version 15.5.4 adds Ubuntu 24.04 support and UI tweaks like download history.

Vulnerability Breakdown

CVECVSSComponentImpactFixed
CVE-2025-405389.1Access ControlAdmin creation to root RCE15.5.4
CVE-2025-405399.1Web InterfaceType confusion root RCE15.5.4
CVE-2025-405409.1Web InterfaceType confusion root RCE15.5.4
CVE-2025-405419.1API/Object HandlingIDOR root RCE15.5.4

New Features in 15.5.4

  • Ubuntu 24.04 LTS support.
  • File Share download history.
  • Precise last-modified timestamps.
  • Strict Content Security Policy.
  • Legacy login anti-clickjacking.

Patch Steps

Apply updates fast.

  • Download from SolarWinds customer portal.
  • Review EOL for versions below 15.5.1.
  • Test in staging for file shares.
  • Scan networks for exposed Serv-U.
  • Enable logging for admin changes.

FAQ

What do SolarWinds Serv-U vulnerabilities enable?

Root RCE via admin escalation, type confusion, and IDOR.

Which versions fix CVE-2025-40538 to 40541?

Serv-U 15.5.4. 

Are there public exploits?

None reported as of February 26, 2026.

What if I run old Serv-U?

Upgrade now; 15.5.1 EOL February 18, 2026.

Does 15.5.4 add security beyond patches?

Yes, CSP headers block clickjacking.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages