ACCORDING to SolarWinds, four critical security flaws in its Serv-U file transfer software (version 15.5) could lead to remote code execution. The issues, all rated 9.1 on the CVSS scale, are CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, and CVE-2025-40541, and they range from broken access control to type confusion and insecure direct object references.
SolarWinds notes that exploitation requires administrative privileges and that the risks are medium on Windows deployments because the services often run under less-privileged accounts by default. The company states that these flaws affect Serv-U 15.5 and have been addressed in version 15.5.4. Previous vulnerabilities in the software have been exploited by malicious actors, including a China-based hacking group tracked as Storm-0322 (formerly DEV-0322).