Critical SolarWinds Serv-U Flaws (CVSS 9.1) Allow Authenticated Admin RCE and Path Bypass

SolarWinds has released security updates addressing three critical vulnerabilities in Serv-U—its managed file transfer and FTP server platform—each carrying a CVSS score of 9.1 and enabling remote code execution (RCE) when abused by an authenticated administrator. All three flaws affect Serv-U prior to version 15.5.3, and SolarWinds urges customers to update immediately.

The first flaw, CVE-2025-40547, stems from a logic error that can be triggered after an attacker gains administrator privileges within Serv-U.

The advisory explains the core issue: “A logic error vulnerability exists in Serv-U… [that] could give a malicious actor with access to admin privileges the ability to execute code.”

While the vulnerability is rated Critical (CVSS 9.1), SolarWinds notes that the severity is lower for Windows environments due to typical privilege separation: “On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.”

The second flaw, CVE-2025-40548, involves missing validation within Serv-U’s authorization logic.

SolarWinds writes: “A missing validation process exists in Serv-U, which when abused, could give a malicious actor with access to admin privileges the ability to execute code.”

Like the previous issue, attackers must already possess admin rights—but once they do, they can exploit the flaw to run arbitrary code on the server.

The third vulnerability, CVE-2025-40549, allows attackers to bypass directory path restrictions and execute code in unauthorized directories.

SolarWinds warns: “A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory.”

The severity score remains Critical (9.1), though Windows systems again see reduced impact due to OS-level path handling differences: “On Windows systems, this scored as medium due to differences in how paths and home directories are handled.”

SolarWinds credits researcher Maurice Moss for reporting the flaw.

Organizations using Serv-U FTP Server or Serv-U Managed File Transfer Server are affected if they have not upgraded to version 15.5.3.

SolarWinds advises customers to upgrade immediately, noting that all three vulnerabilities are fully patched in Serv-U 15.5.3 Older versions remain vulnerable and should be retired or updated as soon as possible.

Related Posts:

• CISA Adds Three New Vulnerabilities to Known Exploited Vulnerabilities Catalog
• GreyNoise Warns of Active Exploitation Attempts Targeting SolarWinds Serv-U Vulnerability (CVE-2024-28995)
• SolarWinds Patches Multiple Critical Vulnerabilities in Access Rights Manager
• CISA Warns Actively Exploited Vulnerabilities, Including Windows Kernel Flaw and Firefox Zero-Day
• SolarWinds Issues Advisory on Salesforce Data Breach Linked to Salesloft Drift