484/68 Monday, November 24, 2025
SolarWinds has released a security update addressing three critical vulnerabilities in its Serv-U File Transfer Solution that could allow attackers to execute arbitrary code remotely (Remote Code Execution – RCE). All vulnerabilities affect Serv-U version 15.5.2.2.102 and have been fixed in version 15.5.3.
Details of the patched vulnerabilities include:
- CVE-2025-40549 (CVSS 9.1): A Path Restriction Bypass vulnerability that could allow attackers with administrative privileges to direct the system to execute code within targeted directories.
- CVE-2025-40548 (CVSS 9.1): A Broken Access Control issue caused by insufficient validation, enabling attackers with admin privileges to execute code they have prepared.
- CVE-2025-40547 (CVSS 9.1): A Logic Error vulnerability that could lead to arbitrary code execution. On Windows systems, the severity of some of these issues is rated lower (Medium) because most services run under accounts with restricted permissions.
SolarWinds strongly urges all organizations using Serv-U to update to the latest version immediately to reduce the risk of exploitation, as all three vulnerabilities are classified as critical and could lead to full system compromise if an attacker possesses the necessary access.
Source https://securityaffairs.com/184916/security/solarwinds-addressed-three-critical-flaws-in-serv-u.html
