SOLARWINDS has issued updates addressing four critical Serv-U vulnerabilities that could allow remote code execution and potentially grant attackers full root access on unpatched servers.
The flaws include CVE-2025-40538, a broken access control issue that could let an attacker create a system admin user and execute arbitrary code as root via domain or group admin privileges, with a CVSS score of 9.1; CVE-2025-40540, a type confusion vulnerability enabling arbitrary native code execution as root; CVE-2025-40539, another type confusion flaw enabling root-level code execution; and CVE-2025-40541, an Insecure Direct Object Reference (IDOR) flaw that can allow root execution of native code.
Each of these four CVEs carries a CVSS score of 9.1. In November 2025, SolarWinds addressed three other Serv-U vulnerabilities (CVE-2025-40549, CVE-2025-40548, CVE-2025-40547) previously; back in July 2024, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-28995 to its KEV catalog. According to the U.S. Cybersecurity and Infrastructure Security Agency, Serv-U is a file transfer server used for secure file exchanges over FTP, FTPS, SFTP and HTTP/S.