- SolarWinds fixed four critical Serv-U flaws at 9.1/10
- Bugs allowed execution of arbitrary code; no exploitation observed so far
- Managed file transfer tools remain high-value targets
SolarWinds Serv-U, a file transfer solution popular with business users, contained several high-severity vulnerabilities that allowed hackers to execute arbitrary code on the underlying system, the company warned.
In a recently published security advisory, SolarWinds detailed the flaws and released a patch to address them.
All four flaws received a severity rating of 9.1/10 (critical). They include a “broken access control RCE flaw” tracked as CVE-2025-40538, two type confusion RCE flaws (CVE-2025-40540 and CVE-2025-40539), and an “insecure direct object reference RCE bug” tracked as CVE-2025-40541.
No operation yet
SolarWinds thanked its internal security team for discovering the flaws and said all four had been fixed in version 15.5.4, urging all customers to upgrade immediately.
In a statement shared with The registerthe company said there was no evidence of abuse of these vulnerabilities in the wild: “We have not observed exploitation. We remain committed to monitoring the situation, working closely with customers and partners to ensure issues are resolved quickly. SolarWinds continues to prioritize the rapid resolution of CVEs to ensure the security and integrity of our software,” the company told the publication.
As of press time, the vulnerabilities also cannot be found in CISA’s Catalog of Known Exploited Vulnerabilities (KEV).
However, managed file transfer solutions have always been a major target of cyberattacks and have, on several occasions in the past, been at the center of major hacking events.
Perhaps the most famous is the MOVEit fiasco, when in late May 2023 Russian ransomware operators Cl0p abused a critical Zero Day. By the end of the year and early 2024, cumulative breach investigations and data showed that more than 2,700 organizations worldwide had been impacted by the attack.
A few months earlier, the same group targeted GoAnywhere, another managed file transfer solution, allegedly compromising 130 companies.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
