SolarWinds has released Serv-U 15.5.4 with patches for multiple critical vulnerabilities as well as feature parity improvements in File Share amongst other updates.
Serv-U is commonly deployed in managed file transfer contexts, which often sit close to sensitive data paths and identity systems. Critical RCE conditions in that posture warrant high urgency—especially for internet-exposed instances.
SolarWinds says Serv-U 15.5.4 brings back download history in File Share (previously available in the older web client prior to 15.5.2) and adds time display alongside “Last Modified” entries for improved auditing and usability.
Four critical vulnerabilities were fixed, each rated 9.1 (Critical). The release also adds feature improvements and support for Linux-based Ubuntu 24.04 LTS.
They include:
- CVE-2025-40538 — broken access control leading to remote code execution, where exploitation can enable creation of a system admin user and arbitrary code execution as root via domain/group admin privileges.
- CVE-2025-40540 and CVE-2025-40539 — type confusion vulnerabilities enabling arbitrary native code execution as root.
- CVE-2025-40541 — an insecure direct object reference (IDOR) vulnerability enabling native code execution as root.
Users and organizations should upgrade to 15.5.4 if you run Serv-U, prioritizing any environment exposed to the public internet or partner networks.
Admins should validate admin role assignments and review recent admin creation events (especially if you suspect exposure to access control bypass conditions).
If you cantt upgrade immediately, reduce exposure by restricting access to trusted networks and ensure monitoring on authentication and privileged actions.
Leave a Reply