SolarWinds Serv-U has some critical security flaws, so users should update now or face attack

News
By published

Four critical flaws were addressed, so patch now

Hands on a laptop with overlaid logos representing network security
(Image credit: Thapana Onphalai via Getty Images)
  • SolarWinds patched four critical Serv-U flaws ated 9.1/10
  • Bugs allowed arbitrary code execution; no exploitation observed so far
  • Managed file transfer tools remain high-value targets

SolarWinds Serv-U, a popular file transfer solution for business users, contained multiple high-severity vulnerabilities that allowed hackers to execute arbitrary code on the underlying system, the company has warned.

In a recently released security advisory, SolarWinds detailed the flaws and released a patch to address them.

All four flaws were given a severity rating of 9.1/10 (critical). They include a “Broken Access Control RCE flaw” tracked as CVE-2025-40538, two type confusion RCE flaws (CVE-2025-40540, and CVE-2025-40539), and an “Insecure Direct Object Reference RCE bug”, tracked as CVE-2025-40541.

No exploitation yet

SolarWinds credited its in-house security team for finding the flaws, and said all four were addressed in versions 15.5.4, inviting all customers to upgrade immediately.

In a statement shared with The Register, the company said there is no evidence of these flaws being abused in the wild: “We have not observed exploitation. We remain committed to monitoring the situation, working closely with customers and partners to ensure issues are resolved quickly. SolarWinds continues to prioritize the swift resolution of CVEs to ensure the security and integrity of our software," the company told the publication.

At press time, the vulnerabilities cannot be found in CISA’s Known Exploited Vulnerabilities (KEV) catalog, as well.

However, managed file transfer solutions have always been a major target for cyberattacks and have, in multiple instances in the past, been at the center of major hacking events.

Perhaps the most famous one is the MOVEit fiasco, when in late May 2023, Russian ransomware operators Cl0p abused a critical zero-day. By the end of the year and into early 2024, investigations and aggregated breach data showed that more than 2,700 organizations worldwide were impacted by the attack.

A few months prior, the same group targeted GoAnywhere, another managed file transfer solution, allegedly compromising 130 businesses.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.