SolarWinds has patched three critical vulnerabilities in its Serv-U file transfer software that could let attackers with administrative access run malicious code remotely.
These flaws, disclosed on November 18, 2025, affect versions up to 15.5.2 and each carries a CVSS score of 9.1.
The company released Serv-U 15.5.3 to fix them, urging users to update right away to avoid potential system takeovers.
Serv-U helps organizations manage secure file sharing over FTP, SFTP, and HTTP, often handling sensitive data in enterprise settings.
Attackers need valid admin credentials to exploit these issues. However, once inside, they can execute code in the service’s context, possibly escalating to complete server control.
This risk echoes past SolarWinds incidents, such as the 2020 supply chain attack, highlighting the need for tight administrative controls.
While exploitation requires prior access, experts note that stolen credentials obtained through phishing or weak passwords make these flaws particularly dangerous in real-world attacks.
Vulnerability Breakdown
The vulnerabilities stem from flaws in Serv-U’s core logic and controls, allowing admin users to bypass safeguards and inject code.
CVE-2025-40547 involves a logic error that allows admins to execute arbitrary commands remotely by improperly handling input.
For example, attackers could craft requests that trigger unintended code paths, running payloads without extra checks.
On Windows, the impact drops to medium because services often run under limited accounts, reducing the likelihood of privilege escalation.
CVE-2025-40548 arises from broken access controls due to missing validation in file operations.
This gap allows admins to abuse processes, like uploading or modifying files, to inject and run code directly on the server.
Without proper checks, the system is exposed to remote execution, potentially leaking data or installing malware.
CVE-2025-40549 is a path-traversal vulnerability that tricks the software into accessing forbidden directories.
Admins can manipulate paths to write files or execute code outside home directories, exploiting how Serv-U handles traversal sequences like “../”.
Again, Windows setups score this medium due to stricter path rules, but Linux users face higher risks.
Here’s a summary of the flaws:
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2025-40547 | SolarWinds Serv-U Logic Abuse – RCE | Logic error allows admin-level remote code execution via input mishandling. | 9.1 Critical | N/A |
| CVE-2025-40548 | SolarWinds Serv-U Broken Access Control – RCE | Missing validation enables admin to run arbitrary code through file ops. | 9.1 Critical | N/A |
| CVE-2025-40549 | SolarWinds Serv-U Path Restriction Bypass | Bypass lets admin execute code on unauthorized directories via path tricks. | 9.1 Critical | Maurice Moss |
These issues, tied to CWE-116 (improper escaping) in CVE-2025-40547 and CWE-22 (path traversal) in CVE-2025-40549, require admin privileges but could be chained with credential theft for devastating effects.
Patch Details and Security Advice
Serv-U 15.5.3, released November 18, 2025, resolves all three CVEs through code fixes and enhanced validations.
Download it from the SolarWinds site or customer portal, and follow the upgrade guides for smooth installation.
The update also adds support for ED25519 keys for stronger SSH authentication, extends IP blocking to guest file shares to prevent brute-force attacks, and enables default settings, such as account lockouts after failed logins.
Other boosts include HSTS for secure HTTP, upload size limits to mitigate denial-of-service attacks, and upgrades to Angular 19 for better web security.
To stay safe, organizations should patch immediately, especially if Serv-U is exposed to the internet.
Limit admin accounts, enforce multi-factor authentication, and monitor logs for suspicious activity, such as unusual file writes.
Regular audits of privileges and network segmentation can block initial access vectors.
SolarWinds thanks researcher Maurice Moss for responsibly reporting CVE-2025-40549.
With end-of-life for older versions, such as 15.5, in October 2026, migrating to the latest build is essential for long-term protection.
These patches underscore the ongoing battle against software flaws in file transfer tools, where even admin-only bugs pose serious threats.
