- SolarWinds fixed four critical Serv-U bugs on 9.1/10
- Bug allowed arbitrary code execution; no exploitation observed so far
- Managed file transfer tools remain valuable targets
SolarWinds Serv-U, a popular file transfer solution for business users, contained several serious vulnerabilities that allowed hackers to execute arbitrary code on the underlying system, the company has warned.
In a recently released security advisory, SolarWinds described the flaws and released a patch to fix them.
All four bugs were given a severity rating of 9.1/10 (Critical). They include a “Broken Access Control RCE bug” tracked as CVE-2025-40538, two types of confusion RCE bugs (CVE-2025-40540 and CVE-2025-40539), and an “Insecure Direct Object Reference RCE bug” tracked as CVE-20415-4025-4025-4025.
No exploitation yet
SolarWinds credited its internal security team with finding the bugs and said all four were fixed in version 15.5.4, urging all customers to upgrade immediately.
In a statement shared with The registerThe company said there is no evidence that these flaws are being exploited in nature: “We have not observed exploitation. We remain committed to monitoring the situation and are working closely with customers and partners to ensure that issues are resolved quickly. SolarWinds continues to prioritize the rapid resolution of CVEs to ensure the security and integrity of our software,” the company told the publication.
At press time, the vulnerabilities cannot be found in CISA’s Known Exploited Vulnerabilities (KEV) catalog either.
However, managed file transfer solutions have always been a major target for cyber-attacks and have in several cases been at the center of major hacking events in the past.
Perhaps the most famous is the MOVEit fiasco, when Russian ransomware operators Cl0p abused a critical zero-day in late May 2023. By the end of the year and into early 2024, investigations and aggregated breach data showed that more than 2,700 organizations worldwide were affected by the attack.
A few months earlier, the same group targeted GoAnywhere, another managed file transfer solution, allegedly compromising 130 companies.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
