116/69 Thursday, February 25, 2026
SolarWinds has released security updates addressing four critical vulnerabilities in its Serv-U file transfer software, which supports FTP, FTPS, SFTP, and HTTP/S protocols. Serv-U is widely used by organizations to exchange large files both internally and externally. If left unpatched, the vulnerabilities could allow attackers to execute remote code (RCE) and escalate privileges to root level on affected servers.
The first vulnerability, CVE-2025-40538 (CVSS 9.1), is a Broken Access Control issue. An attacker with existing high-level privileges could exploit this flaw to create a system administrator account and execute arbitrary code with root privileges via domain admin or group admin rights. Two additional vulnerabilities-CVE-2025-40540 and CVE-2025-40539 (both CVSS 9.1)-are classified as Type Confusion flaws. These could be exploited to execute native code with root privileges, enabling full server compromise. The fourth vulnerability, CVE-2025-40541 (CVSS 9.1), is an Insecure Direct Object Reference (IDOR) issue that may also lead to root-level code execution and complete system takeover.
In November 2025, SolarWinds had previously addressed three other critical Serv-U vulnerabilities that could similarly result in remote code execution. Organizations using Serv-U are strongly advised to apply the latest patches immediately to reduce the risk of exploitation and unauthorized system compromise.
