Thanks to vulnerabilities in the file transfer software Serv-U, attackers were able to execute remote code.
SolarWinds has released security updates for four critical vulnerabilities in its Serv-U file transfer software that could grant attackers root or admin privileges on unpatched servers.
Root access possible if exploited
The most severe vulnerability (CVE-2025-40538) affects Serv-U 15.5.4 and older, SolarWinds writes in a security advisory. It involves a broken access control issue that allows a high-privileged attacker to create a system administrator and execute arbitrary code in the root.
In addition, two Type Confusion errors and an Insecure Direct Object Reference (IDOR) vulnerability have been patched. In both cases, attackers can also execute remote code in the root, and all vulnerabilities received a severity score of 9.1 out of 10.
Thousands of servers accessible online
According to figures from ShadowServer, 1,166 servers are affected worldwide, with 733 of those in Europe. However, the impact in the Benelux is relatively limited: France leads with 40 affected servers, followed by the Netherlands with 34 and Luxembourg with 31. Belgium has only three. File transfer software is attractive to attackers because it often provides direct access to sensitive corporate and customer data.
SolarWinds advises companies to upgrade to version 15.5.4 or higher as soon as possible and to keep access permissions as restricted as possible.