Critical SolarWinds Serv-U flaws offer root access to servers

SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers.

Serv-U is the company’s self-hosted Windows and Linux file transfer software that comes with both Managed File Transfer (MFT) and FTP server capabilities, enabling organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S.

The most severe of the four security flaws patched by SolarWinds today in Serv-U 15.5.4 is tracked as CVE-2025-40538, and it allows attackers with high privileges to gain root or admin permissions on vulnerable servers.

“A broken access control vulnerability exists in Serv-U which, when exploited, gives an attacker the ability to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges,” SolarWinds said in a Tuesday advisory.

The company also patched two type confusion flaws and an Insecure Direct Object Reference (IDOR) vulnerability that can be exploited to gain code execution with root privileges.

Luckily, all four security flaws require attackers to already have high privileges on the targeted servers, which will limit potential exploitation attempts to scenarios where attackers can chain privilege escalation vulnerabilities or use previously stolen admin credentials.

Shodan currently tracks over 12,000 Internet-exposed Serv-U servers, while Shadowserver estimates the number to be less than 1,200.

​File transfer software like SolarWinds Serv-U is often targeted in attacks because it provides easy access to documents that may contain sensitive corporate and customer data.

Over the last five years, multiple cybercrime and state-sponsored hacking groups have targeted Serv-U vulnerabilities in data theft attacks, with the Clop gang having exploited a Serv-U Secure FTP remote code execution vulnerability (CVE-2021-35211) to breach corporate networks in ransomware attacks.

China-based hackers (tracked by Microsoft as DEV-0322), known for primarily targeting U.S. defense and software companies, also deployed CVE-2021-35211 exploits in zero-day attacks starting in July 2021.

More recently, in June 2024, cybersecurity companies Rapid7 and GreyNoise flagged a SolarWinds Serv-U path-traversal vulnerability (CVE-2024-28995) as actively exploited by threat actors who used publicly available proof-of-concept (PoC) exploits.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking nine SolarWinds security flawsthat have either been or are still actively being exploited in the wild.

The future of IT infrastructure is here

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide