Root Access Granted: Four Critical RCE Flaws Patched in SolarWinds Serv-U

File transfer servers are meant to securely move sensitive data, but a new batch of critical vulnerabilities in SolarWinds Serv-U threatens to hand over complete system control to attackers instead. SolarWinds has disclosed four distinct Remote Code Execution (RCE) flaws, all carrying a critical CVSS score of 9.1.

The vulnerabilities—addressed in the newly released Serv-U 15.5.4—span multiple classes of software flaws, including Broken Access Control, Type Confusion, and Insecure Direct Object Reference (IDOR). If exploited, every single one of these flaws provides an attacker with the ability to execute arbitrary native code as the highly privileged root user.

Perhaps the most alarming of the group is CVE-2025-40538. This broken access control vulnerability provides a direct path to total system domination by allowing attackers to escalate their privileges to the highest level.

According to the release notes, “A broken access control vulnerability exists in Serv-U which, when exploited, gives an attacker the ability to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges.”

By allowing an attacker to artificially mint their own system administrator credentials, this flaw bypasses traditional perimeter defenses and grants persistent, highly privileged access.

The remaining three vulnerabilities are equally critical, offering alternative routes to root-level remote code execution:

• CVE-2025-40539 & CVE-2025-40540 (Type Confusion): These two separate vulnerabilities stem from memory safety issues. When exploited, they allow an attacker to trick the application’s memory management into executing arbitrary native code as root.
• CVE-2025-40541 (IDOR): An Insecure Direct Object Reference vulnerability. While IDOR flaws most commonly lead to unauthorized data exposure, this specific implementation failure within Serv-U escalates to full remote code execution as root.

Because managed file transfer (MFT) solutions like Serv-U are frequently exposed directly to the public internet to facilitate external file sharing, they are prime, high-value targets for initial access brokers and ransomware operators.

The fixes for all four of these critical CVEs are bundled in SolarWinds Serv-U 15.5.4. Administrators utilizing Serv-U in their environments are strongly urged to apply this update immediately to close these dangerous pathways to root access.