SolarWinds continues to be besieged by security issues, this time in its Serv-U managed file transfer server.
The software company has released four patches for critical Serv-U remote code execution (RCE) vulnerabilities that could allow attackers to gain root (administrator) access to unpatched servers. These four common vulnerabilities and exposures (CVEs) are rated “critical,” the highest severity score.
These should be treated as “high-urgency patch events,” said Ensar Seker, CISO at SOCRadar. “When you are talking about pre-authentication RCE with potential root-level access, you are effectively talking about full system compromise.”
Flaws let attackers execute arbitrary code
Serv-U is the SolarWinds self-hosted file transfer tool designed for Windows and Linux. It has managed file transfer (MFT) and file transfer protocol (FTP) capabilities that allow enterprises to exchange files via FTPS, SFTP, and HTTP/S.
The patched vulnerabilities are:
CVE-2025-40538: The most severe of the four, this broken access control vulnerability gives attackers the ability to create a system admin user and execute arbitrary code. They can gain root domain and group admin privileges.
CVE-2025-40539 and CVE-2025-40540: These “type confusion” vulnerabilities trick programs into performing unintended behaviors, thus allowing attackers to access a system and execute malicious code as root or as a privileged account.
CVE-2025-40541: Also a broken access control vulnerability that gives threat actors the ability to execute native code as root or as a privileged account.
It’s important to note that, to exploit any of these flaws, attackers would have to have already obtained admin or privileged access on targeted servers.
However, if threat actors are able to exploit unpatched Serv-U instances, they can execute arbitrary commands, deploy malware, create new privileged accounts, disable security tooling, and pivot laterally into the broader environment, noted SOCRadar’s Seker.
Serv-U is particularly at risk because it is, by design, an externally facing file transfer solution. “Many organizations expose it to the internet for partners, vendors, and customers,” said Seker. That “dramatically increases” the attack surface.
Attackers could potentially exfiltrate sensitive files, manipulate transferred data, implant backdoors, and use the server as a “staging point for ransomware.” The blast radius further expands in environments where Serv-U is integrated with Active Directory or internal storage systems, Seker pointed out.
“At that point, it is no longer a file transfer issue,” he said. “It becomes a domain-wide incident response scenario.”
Not a ‘patch when convenient’ situation
Security leaders should respond with “urgency and discipline,” said Seker. Immediately patch to the latest version, review whether Serv-U is internet-exposed, validate access controls, check logs for signs of exploitation, and rotate associated credentials. If they suspect exploitation, enterprises should “assume full compromise” of the host and perform a thorough forensic review.
“This is not a ‘patch when convenient’ update, it is a ‘patch and verify’ situation,” said Seker.
Beyond patching, anyone using ServU must go back and check logs to see if they’ve already lost data, advised David Shipley of Beauceron Security.
RCE is “super bad news” for these file transfer tools, he noted, pointing out that MoveIT was one of the largest data breaches in recent years.
“Root access equals game over,” he said. “These kinds of tool are used to move highly sensitive personal identifiable information, financial information, medical information.”
SolarWinds a favored hacker target
SolarWinds continues to be a favorite target for attackers; in late January, the company patched six critical authentication bypass and RCE vulnerabilities in its Web Help Desk (WHD) IT software. Four of these were rated critical.
Previously, the company addressed a second patch bypass for a WHD RCE flaw flagged a year prior by the US Cybersecurity and Infrastructure Security Agency (CISA).
This recurrence of cybersecurity issues is partly due to visibility, noted Seker. SolarWinds products are widely deployed across both enterprise and government environments, making them “high-value targets” for criminal and nation-state actors.
“The more critical the software’s role in infrastructure, the more aggressively it will be researched and attacked,” he said.
But these types of repeated critical flaw reinforce a broader lesson, he noted: Vendors that operate in privileged network positions must maintain “extremely mature” secure development lifecycles and perform “aggressive” third-party security testing.
“Trust in infrastructure software is earned continuously,” said Seker, “not once.”
The bigger takeaway, though, is that organizations cannot rely solely on vendor reputation. Every single externally exposed service, especially when capable of handling authentication and file transfers, should be treated as potentially exploitable, Seker noted. This requires continuous external attack surface monitoring, virtual patching via web application firewall (WAF) where applicable, strict network segmentation, and zero-trust access controls.
“The question is not whether critical vulnerabilities will appear again — they will — but whether the organization can detect, patch, and contain them before adversaries do,” he said.
No Responses