SolarWinds released security updates for Serv-U 15.5.4 to patch four critical remote code execution vulnerabilities that could allow attackers to gain root or admin access on unpatched Windows and Linux servers. The most severe flaw, CVE-2025-40538, lets attackers with domain- or group-admin privileges create a system admin account and execute arbitrary code as root, and SolarWinds also fixed two type confusion flaws and an IDOR amid prior exploitation activity and ongoing tracking by CISA. #Serv-U #CVE-2025-40538
Keypoints
- SolarWinds patched four critical RCE vulnerabilities in Serv-U 15.5.4 that could grant root or admin permissions on vulnerable servers.
- CVE-2025-40538 is the most severe issue and allows attackers with domain- or group-admin privileges to create a system admin user and run code as root.
- Two type confusion vulnerabilities and an IDOR were also fixed, each capable of enabling code execution with root privileges.
- All four flaws require attackers to already have high privileges, limiting exploitation to chained escalation or scenarios using stolen admin credentials; Shodan and Shadowserver report thousands of internet-exposed Serv-U instances.
- Serv-U has been targeted historically by groups such as Clop and DEV-0322 (exploiting CVE-2021-35211 and CVE-2024-28995), and CISA is tracking multiple SolarWinds vulnerabilities.