SolarWinds Fixes 4 Critical Serv-U Flaws Enabling Root Remote Code Execution
SolarWinds patches four CVSS 9.1 vulnerabilities in Serv-U 15.5, preventing unauthenticated attackers from achieving root-level remote code execution.
SolarWinds Addresses Critical Serv-U Vulnerabilities with Root RCE Risk
SolarWinds has released security updates to mitigate four critical vulnerabilities in its Serv-U 15.5 file transfer software. If exploited, these flaws could allow unauthenticated attackers to achieve root-level remote code execution (RCE) on affected systems. All four vulnerabilities carry a CVSS score of 9.1, indicating severe risk.
Technical Details
The vulnerabilities, disclosed by SolarWinds on February 10, 2026, include:
- CVE-2025-40538: A broken access control flaw enabling attackers to create a system admin user and execute arbitrary code with elevated privileges.
- Three additional CVEs (details pending) with similar impact, all leading to unauthenticated RCE.
These flaws affect Serv-U 15.5 and earlier versions, with patches available in Serv-U 15.5.1 and later. SolarWinds has not reported active exploitation in the wild but urges immediate updates.
Impact Analysis
Successful exploitation could grant attackers:
- Full system control via root-level access.
- Unauthorized file transfers, data exfiltration, or malware deployment.
- Lateral movement within compromised networks.
Given Serv-U’s widespread use in enterprise environments, these vulnerabilities pose a high risk to organizational security, particularly for entities handling sensitive data.
Recommendations
Security teams should:
- Apply patches immediately (Serv-U 15.5.1 or later).
- Audit Serv-U deployments for signs of compromise.
- Restrict network access to Serv-U instances where updates are delayed.
- Monitor for unusual admin account creation or unauthorized file transfers.
For more details, refer to SolarWinds’ official advisory.