Multiple critical SolarWinds Serv-U bugs addressed

SolarWinds has issued fixes for four critical vulnerabilities impacting its Serv-U self-hosted Windows and Linux file transfer software, which could be weaponized to enable remote code execution, according to The Register.

Most severe of the bugs is the broken access control issue, tracked as CVE-2025-40538, which could enable system admin user creation and arbitrary code execution as a privileged account. The other defects include a pair of type confusion flaws, tracked as CVE-2025-40539 and CVE-2025-40540, and the insecure direct object reference vulnerability, tracked as CVE-2025-40541. While no active exploitation of any of the flaws has been observed, organizations using Serv-U have been urged to immediately update to version 15.5.4 of the software.

"We remain committed to monitoring the situation, working closely with customers and partners to ensure issues are resolved quickly. SolarWinds continues to prioritize the swift resolution of CVEs to ensure the security and integrity of our software," said the firm.