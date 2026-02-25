SolarWinds patched four critical Serv-U flaws ated 9.1/10

Bugs allowed arbitrary code execution; no exploitation observed so far

Managed file transfer tools remain high-value targets

SolarWinds Serv-U, a popular file transfer solution for business users, contained multiple high-severity vulnerabilities that allowed hackers to execute arbitrary code on the underlying system, the company has warned.

In a recently released security advisory, SolarWinds detailed the flaws and released a patch to address them.

All four flaws were given a severity rating of 9.1/10 (critical). They include a “Broken Access Control RCE flaw” tracked as CVE-2025-40538, two type confusion RCE flaws (CVE-2025-40540, and CVE-2025-40539), and an “Insecure Direct Object Reference RCE bug”, tracked as CVE-2025-40541.

No exploitation yet

SolarWinds credited its in-house security team for finding the flaws, and said all four were addressed in versions 15.5.4, inviting all customers to upgrade immediately.

In a statement shared with The Register, the company said there is no evidence of these flaws being abused in the wild: “We have not observed exploitation. We remain committed to monitoring the situation, working closely with customers and partners to ensure issues are resolved quickly. SolarWinds continues to prioritize the swift resolution of CVEs to ensure the security and integrity of our software," the company told the publication.

At press time, the vulnerabilities cannot be found in CISA’s Known Exploited Vulnerabilities (KEV) catalog, as well.

However, managed file transfer solutions have always been a major target for cyberattacks and have, in multiple instances in the past, been at the center of major hacking events.

Perhaps the most famous one is the MOVEit fiasco, when in late May 2023, Russian ransomware operators Cl0p abused a critical zero-day. By the end of the year and into early 2024, investigations and aggregated breach data showed that more than 2,700 organizations worldwide were impacted by the attack.

A few months prior, the same group targeted GoAnywhere, another managed file transfer solution, allegedly compromising 130 businesses.

