{"id":7246,"date":"2026-02-25T02:47:17","date_gmt":"2026-02-25T02:47:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7246"},"modified":"2026-02-25T02:47:17","modified_gmt":"2026-02-25T02:47:17","slug":"new-serv-u-bugs-extend-solarwinds-run-of-high-severity-disclosures","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7246","title":{"rendered":"New Serv-U bugs extend SolarWinds\u2019 run of high-severity disclosures"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>SolarWinds continues to be besieged by security issues, this time in its Serv-U managed file transfer server.<\/p>\n<p>The software company has released four patches for critical Serv-U remote code execution (RCE) vulnerabilities that could allow attackers to gain root (administrator) access to unpatched servers. These four common vulnerabilities and exposures (CVEs) are rated \u201ccritical,\u201d the highest severity score.<\/p>\n<p>These should be treated as \u201chigh-urgency patch events,\u201d said <a href=\"https:\/\/www.sans.org\/profiles\/ensar-seker\" target=\"_blank\" rel=\"noopener\">Ensar Seker<\/a>, CISO at SOCRadar. \u201cWhen you are talking about pre-authentication RCE with potential root-level access, you are effectively talking about full system compromise.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Flaws let attackers execute arbitrary code<\/h2>\n<p>Serv-U is the SolarWinds self-hosted file transfer tool designed for Windows and Linux. It has managed file transfer (MFT) and file transfer protocol (FTP) capabilities that allow enterprises to exchange files via FTPS, SFTP, and HTTP\/S.<\/p>\n<p>The patched vulnerabilities are:<\/p>\n<p><a href=\"https:\/\/www.solarwinds.com\/trust-center\/security-advisories\/cve-2025-40538\" target=\"_blank\" rel=\"noopener\">CVE-2025-40538<\/a>: The most severe of the four, this broken access control vulnerability gives attackers the ability to create a system admin user and execute arbitrary code. They can gain root domain and group admin privileges.<\/p>\n<p><a href=\"https:\/\/www.solarwinds.com\/trust-center\/security-advisories\/cve-2025-40539\" target=\"_blank\" rel=\"noopener\">CVE-2025-40539<\/a> and <a href=\"https:\/\/www.solarwinds.com\/trust-center\/security-advisories\/cve-2025-40540\" target=\"_blank\" rel=\"noopener\">CVE-2025-40540<\/a>: These \u201ctype confusion\u201d vulnerabilities trick programs into performing unintended behaviors, thus allowing attackers to access a system and execute malicious code as root or as a privileged account.<\/p>\n<p><a href=\"https:\/\/www.solarwinds.com\/trust-center\/security-advisories\/cve-2025-40541\" target=\"_blank\" rel=\"noopener\">CVE-2025-40541<\/a>: Also a broken access control vulnerability that gives threat actors the ability to execute native code as root or as a privileged account.<\/p>\n<p>It\u2019s important to note that, to exploit any of these flaws, attackers would have to have already obtained admin or privileged access on targeted servers.<\/p>\n<p>However, if <a href=\"https:\/\/www.csoonline.com\/article\/4136276\/the-rise-of-the-evasive-adversary.html\" target=\"_blank\" rel=\"noopener\">threat actors<\/a> are able to exploit unpatched Serv-U instances, they can execute arbitrary commands, deploy malware, create new privileged accounts, disable security tooling, and pivot laterally into the broader environment, noted SOCRadar\u2019s Seker.<\/p>\n<p>Serv-U is particularly at risk because it is, by design, an externally facing file transfer solution. \u201cMany organizations expose it to the internet for partners, vendors, and customers,\u201d said Seker. That \u201cdramatically increases\u201d the attack surface.<\/p>\n<p>Attackers could potentially exfiltrate sensitive files, manipulate transferred data, implant backdoors, and use the server as a \u201cstaging point for ransomware.\u201d The blast radius further expands in environments where Serv-U is integrated with Active Directory or internal storage systems, Seker pointed out.<\/p>\n<p>\u201cAt that point, it is no longer a file transfer issue,\u201d he said. \u201cIt becomes a domain-wide incident response scenario.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Not a \u2018patch when convenient\u2019 situation<\/h2>\n<p>Security leaders should respond with \u201curgency and discipline,\u201d said Seker. Immediately patch to the latest version, review whether Serv-U is internet-exposed, validate access controls, check logs for signs of exploitation, and rotate associated credentials. If they suspect exploitation, enterprises should \u201cassume full compromise\u201d of the host and perform a thorough forensic review.<\/p>\n<p>\u201cThis is not a \u2018patch when convenient\u2019 update, it is a \u2018patch and verify\u2019 situation,\u201d said Seker.<\/p>\n<p>Beyond patching, anyone using ServU must go back and check logs to see if they\u2019ve already lost data, advised <a href=\"https:\/\/www.beauceronsecurity.com\/blog\/tag\/David+Shipley\" target=\"_blank\" rel=\"noopener\">David Shipley<\/a> of Beauceron Security.<\/p>\n<p>RCE is \u201csuper bad news\u201d for these file transfer tools, he noted, pointing out that MoveIT was one of the largest data breaches in recent years.<\/p>\n<p>\u201cRoot access equals game over,\u201d he said. \u201cThese kinds of tool are used to move highly sensitive personal identifiable information, financial information, medical information.\u201d<\/p>\n<h2 class=\"wp-block-heading\">SolarWinds a favored hacker target<\/h2>\n<p>SolarWinds continues to be a favorite target for attackers; in late January, <a href=\"https:\/\/www.csoonline.com\/article\/4124030\/solarwinds-again-critical-rce-bugs-reopen-old-wounds-for-enterprise-security-teams.html\" target=\"_blank\" rel=\"noopener\">the company patched six<\/a> critical authentication bypass and RCE vulnerabilities in its Web Help Desk (WHD) IT software. Four of these were rated critical.<\/p>\n<p>Previously, the company addressed a <a href=\"https:\/\/www.csoonline.com\/article\/4061929\/solarwinds-fixes-web-help-desk-patch-bypass-for-actively-exploited-flaw-again.html\" target=\"_blank\" rel=\"noopener\">second patch bypass<\/a> for a WHD RCE flaw flagged a year prior by the US Cybersecurity and Infrastructure Security Agency (CISA).<\/p>\n<p>This recurrence of cybersecurity issues is partly due to visibility, noted Seker. SolarWinds products are widely deployed across both enterprise and government environments, making them \u201chigh-value targets\u201d for criminal and nation-state actors.<\/p>\n<p>\u201cThe more critical the software\u2019s role in infrastructure, the more aggressively it will be researched and attacked,\u201d he said.<\/p>\n<p>But these types of repeated critical flaw reinforce a broader lesson, he noted: Vendors that operate in privileged network positions must maintain \u201cextremely mature\u201d secure development lifecycles and perform \u201caggressive\u201d third-party security testing.<\/p>\n<p>\u201cTrust in infrastructure software is earned continuously,\u201d said Seker, \u201cnot once.\u201d<\/p>\n<p>The bigger takeaway, though, is that organizations cannot rely solely on vendor reputation. Every single externally exposed service, especially when capable of handling authentication and file transfers, should be treated as potentially exploitable, Seker noted. This requires continuous external attack surface monitoring, virtual patching via web application firewall (WAF) where applicable, strict network segmentation, and zero-trust access controls. <\/p>\n<p>\u201cThe question is not whether critical vulnerabilities will appear again \u2014 they will \u2014 but whether the organization can detect, patch, and contain them before adversaries do,\u201d he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>SolarWinds continues to be besieged by security issues, this time in its Serv-U managed file transfer server. The software company has released four patches for critical Serv-U remote code execution (RCE) vulnerabilities that could allow attackers to gain root (administrator) access to unpatched servers. These four common vulnerabilities and exposures (CVEs) are rated \u201ccritical,\u201d the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7247,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7246","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7246"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7246"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7246\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7247"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}