Published on February 24, 2026
Critical SolarWinds Serv-U Flaws Offer Root Access to Servers
SolarWinds has issued security updates addressing four critical remote code execution (RCE) vulnerabilities affecting its Serv-U file transfer software. If left unpatched, these flaws could allow attackers to gain root-level access to impacted servers.
Serv-U is a self-hosted file transfer solution for Windows and Linux environments, offering Managed File Transfer (MFT) and FTP server capabilities. It enables organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S protocols.
The most critical vulnerability, tracked as CVE-2025-40538, was resolved in Serv-U version 15.5.4. According to SolarWinds, this flaw stems from broken access control and could allow attackers with elevated privileges to create a system administrator account and execute arbitrary code with root-level permissions through domain or group admin access.
| CVE ID | Vulnerability Type | Impact | CVSS Score |
| CVE-2025-40538 | SolarWinds Serv-U Broken Access Control Remote Code Execution Vulnerability | A broken access control vulnerability exists in Serv-U which, when exploited, gives an attacker the ability to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges. | 9.1 Critical |
| CVE-2025-40540 | SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerability | A type confusion vulnerability exists in Serv-U which, when exploited, gives an attacker the ability to execute arbitrary native code as root. | 9.1 Critical |
| CVE-2025-40539 | SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerability | A type confusion vulnerability exists in Serv-U which, when exploited, gives an attacker the ability to execute arbitrary native code as root. | 9.1 Critical |
| CVE-2025-40541 | SolarWinds Serv-U Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability | An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U which, when exploited, gives an attacker the ability to execute native code as root. | 9.1 Critical |
In addition to this issue, SolarWinds patched:
- Two type confusion vulnerabilities
- One Insecure Direct Object Reference (IDOR) vulnerability
All three could potentially be exploited to achieve code execution with root privileges.
Importantly, exploitation of these vulnerabilities requires attackers to already possess high-level access to the targeted system. As a result, successful attacks would likely depend on chaining privilege escalation flaws or leveraging previously compromised administrative credentials.
Exposure levels vary across monitoring platforms. Shodan reports more than 12,000 internet-facing Serv-U servers, while Shadowserver estimates the number to be under 1,200.
File transfer platforms such as SolarWinds Serv-U are frequent targets for cyberattacks because they often store or transmit sensitive corporate and customer data.
Historically, Serv-U has been exploited by both cybercriminal and state-sponsored groups. The Clop ransomware gang previously leveraged a Serv-U Secure FTP vulnerability (CVE-2021-35211) to infiltrate corporate networks.
Affected Products
This vulnerability affects Solarwind Serv-U.
Recommendation
Organizations using Serv-U are strongly advised to update to the latest patched version and review access controls to mitigate potential risks.
Source