SOLARWINDS has issued patches for four critical-severity flaws in its Serv-U file transfer appliance, tracked as CVE-2025-40538 to CVE-2025-40541, each with a CVSS score of 9.1 and capable of remote code execution in Serv-U version 15.5.
The company explains that CVE-2025-40538 is a broken access control issue that could allow an attacker to create a system admin user and run arbitrary code with elevated privileges, while CVE-2025-40539 and CVE-2025-40540 are type confusion flaws that enable code execution with elevated privileges, and CVE-2025-40541 is an insecure direct object reference bug leading to native code execution in a privileged context.
Exploitation of all four requires administrative privileges on the vulnerable Serv-U instance, and SolarWinds notes that on Windows deployments the risk is medium because services often run under less-privileged accounts. All four CVEs were fixed in Serv-U version 15.5.4, and users are advised to update promptly, as threat actors are known to target SolarWinds bugs in attacks. According to SolarWinds, there is no disclosed evidence of exploitation in the wild.