Critical SolarWinds Serv-U Flaws Grant Root Server Access
▼ Summary
– SolarWinds has patched four critical remote code execution vulnerabilities in its Serv-U file transfer software, the most severe being CVE-2025-40538.
– These flaws allow attackers with existing high privileges to gain root or admin permissions and execute arbitrary code on vulnerable servers.
– Exploitation is limited as attackers must already have high-privilege access, requiring chained vulnerabilities or stolen credentials.
– Thousands of Serv-U servers are exposed online, making them attractive targets for accessing sensitive corporate and customer data.
– Serv-U has a history of being exploited, including recent attacks in 2024, and CISA currently tracks nine actively exploited SolarWinds flaws.
SolarWinds has issued crucial security updates to address four critical vulnerabilities within its Serv-U file transfer software. These flaws, if left unpatched, could allow attackers to execute remote code and gain complete administrative control over affected servers. This software is widely used by organizations for secure file exchanges via protocols like FTP, SFTP, and HTTP/S, making it a high-value target for cybercriminals seeking sensitive data.
The most severe issue, identified as CVE-2025-40538, involves a broken access control mechanism. An attacker with existing high-level privileges could exploit this flaw to create a new system administrator account and run arbitrary commands with root or admin permissions. SolarWinds described the vulnerability as enabling code execution via compromised domain or group admin rights.
Alongside this critical flaw, the company resolved two type confusion vulnerabilities and an Insecure Direct Object Reference (IDOR) weakness. Each of these can also be leveraged to achieve code execution with the highest level of server privileges. A significant mitigating factor is that all four security flaws require the attacker to already possess high-privilege access on the target system. This necessity likely confines exploitation to scenarios involving stolen credentials or chained attacks that escalate privileges from a lower initial foothold.
Assessments of how many Serv-U instances are directly accessible from the internet vary. One public monitoring service indicates over 12,000, while another cybersecurity organization estimates the number is closer to 1,200. Regardless of the exact figure, exposed file transfer servers remain attractive targets due to the sensitive corporate and customer data they often handle.
Historically, Serv-U vulnerabilities have drawn attention from sophisticated threat actors. Notably, the Clop ransomware gang exploited a previous flaw, CVE-2021-35211, to breach corporate networks. Around the same time, a Chinese state-sponsored group tracked as DEV-0322 used the same vulnerability in zero-day attacks targeting U.S. defense and software firms. More recently, in mid-2024, researchers observed active exploitation of another Serv-U path-traversal bug, CVE-2024-28995, using publicly available proof-of-concept code.
The persistent targeting of this software is reflected in broader government advisories. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) currently lists nine different SolarWinds security flaws that have been actively exploited in attacks, underscoring the importance of prompt patching for all affected Serv-U installations. Administrators are strongly urged to apply the latest updates immediately to secure their file transfer infrastructure.
(Source: Bleeping Computer)
