SolarWinds has issued an urgent security update for its Serv-U file transfer software, patching three critical remote code execution (RCE) vulnerabilities, each rated CVSS 9.1. These flaws could allow attackers with administrative access to execute arbitrary code and compromise vulnerable systems. The fixes are included in Serv-U version 15.5.3, released on November 18, 2025, and administrators are strongly advised to update immediately to mitigate potential exploitation.
Vulnerability Details
| CVE-ID | Vulnerability Type | CVSS Score | Exploit Prerequisites |
|---|---|---|---|
| CVE-2025-40547 | Logic Abuse – Remote Code Execution | 9.1 Critical | Administrative privileges required |
| CVE-2025-40548 | Broken Access Control – Remote Code Execution | 9.1 Critical | Administrative privileges required |
| CVE-2025-40549 | Path Restriction Bypass | 9.1 Critical | Administrative privileges required |
CVE-2025-40547: Logic Error Leading to Remote Code Execution (CVSS 9.1)
The first flaw, CVE-2025-40547, stems from a logic error within Serv-U’s internal functions. When exploited, an attacker with administrative privileges can leverage the issue to execute arbitrary code on the server, potentially gaining full control of the affected instance.
CVE-2025-40548: Broken Access Control Enabling RCE (CVSS 9.1)
The second vulnerability, CVE-2025-40548, is caused by insufficient access validation, allowing a privileged attacker to trigger remote code execution. According to SolarWinds, a lack of proper validation checks could enable a malicious admin user to run arbitrary commands. While the issue requires administrative access to exploit, the risk is lower on Windows systems, as services typically operate with reduced-privilege accounts, resulting in a medium severity rating on Windows deployments.
CVE-2025-40549: Path Restriction Bypass Resulting in Code Execution (CVSS 9.1)
The third bug, CVE-2025-40549, involves a path restriction bypass, allowing an attacker with admin rights to execute code within a targeted directory. SolarWinds notes that exploitation requires administrative privileges; however, similar to CVE-2025-40548, the severity is lower on Windows environments, due to differences in how paths and home directories are managed, which reduces the overall impact.
Impact
- Security Bypass
- Code Execution
- Gain Access
Affected Products
SolarWinds Serv-U 15.5.2.2.102
Mitigation & Remediation
- Patch Immediately: Upgrade Serv-U immediately to version 15.5.3 or later.
- Review Administrative Access Controls: Audit all Serv-U admin accounts to confirm they use strong, unique credentials, and enable multi-factor authentication (MFA) wherever supported. Routinely evaluate user roles and permissions to ensure they follow the principle of least privilege.
- Monitor for Anomalous Behavior: Enable comprehensive logging and actively monitor your Serv-U environment for irregular activity, such as unusual login attempts, unexpected transfers, or unauthorized processes that deviate from normal usage patterns.
- Strengthen Network Segmentation: Where feasible, place the Serv-U server in a dedicated network segment to reduce exposure and limit an attacker’s ability to pivot across systems if compromise occurs.
- Maintain Secure Backup Practices: Regularly create and store protected backups of your Serv-U configurations and critical data to support rapid restoration and minimize downtime in the event of a breach.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.