SolarWinds Serv-U: four corrected critical vulnerabilities that could give root access to an attacker

SolarWinds has published an update for its Serv-U software that fixes four critical vulnerabilities of remote code execution (CERs) that, on non-patched servers, could end up giving an attacker control with maximum privileges. Serv-U is the file transfer solution that many organizations maintain in their own facilities on both Windows and Linux, and that offers MFT, FTP, FTPS, SFTP and HTTP / S services to move sensitive information between systems.

The most relevant correction comes in version 15.5.4 and measures a serious failure identified as CVE-2025-40538. According to SolarWinds' official note, this defect allows users with high privileges to create system administrative accounts and run code with root permissions or administrator, which facilitates the complete take-over of the affected machine. You can see the details and update instructions on the note page of the SolarWinds version: official documentation of SolarWinds.

In addition to CVE-2025-40538, the update fixes two type confusion errors and an IDOR-type vulnerability (Insecure Direct Object Reference) that can also result in code execution with root privileges if they are successfully exploited. The important thing from an operational point of view is that, for the moment, all these vulnerabilities require that the attacker already have access with high privileges on the target server, which limits - but does not eliminate - the risk: it is feasible for an adversary to chain these failures with other vulnerabilities or use previously committed administrative credentials to reach that point.

The area exposed on the Internet is not small: public searches reach figures that vary widely according to the scanning methodology. For example, Shodan shows more than 12,000 Serv-U instances accessible from the public network, while the Shadowserver count, which applies different criteria, places this number below 1,200. This discrepancy does not indicate that a source is wrong, but reflects differences in how and when exposed services are identified and catalogued. You can check the metrics in Shodan and the Shadowserver panel: Shodan - Serv-U and Shadowserver - statistics.

The fact that file transfer software is an attractive goal is not a surprise: this type of tools concentrates corporate documents and customer data, and a compromised server facilitates the mass exfiltration or deployment of Ransomware ciphers. Historically, criminal actors and state-sponsored groups have exploited vulnerabilities in Serv-U. A notable example was CVE-2021-35211, which was used by ransomware bands and groups linked to exfiltration and surveillance-oriented operations. The agencies and response teams follow these attack vectors very closely.

In the overall threat map, the vulnerabilities in SolarWinds products have had repeated impacts, which is why entities such as the US Infrastructure and Cybersecurity Agency. United States (CISA) maintain constant monitoring. Currently, CISA lists several SolarWinds vulnerabilities that have been actively exploited: you can review your catalogue of known vulnerabilities exploited in real environments here: CISA - Known Exploited Vulnerabilities.

If you administer Serv-U servers, the first action should be to update as soon as possible to the version that fixes these failures. In addition to applying the patch, it is appropriate to reduce the exposure of services: avoid publishing file transfer servers directly to the Internet, restrict IP access, force multifactor authentication where possible and rotate administrative credentials. Network segmentation and specific monitoring of unusual patterns in logs help to detect attempts at abuse before a minor problem becomes a major gap.

It is important to remember that basic safety hygiene remains the most effective barrier: to apply the principle of lesser privilege, to review accounts with high permits and to audit access and changes in configuration. If there is a possibility that stolen credentials have been used, a forensic containment and verification process must be carried out, including the verification of the integrity of critical binaries, the review of programmed tasks and the detection of back doors.

Finally, maintaining a regular parking policy and controlled updating tests reduces the exposure time to this type of failure. Organizations that depend on Serv-U should include these corrections in their vulnerability management cycle and, if necessary, seek compensatory controls (such as firewall rules that block known operating patterns) until all instances are updated.

The combination of a patch published by the manufacturer, the tracking of reliable sources and a proactive response in security operations is the most effective formula for mitigating risks from such critical failures as recent in Serv-U. For official information on the update and recommended steps, see the SolarWinds note and contrast to Shodan or Shadowserver exposure detection data.