- SolarWinds fixed four critical Serv-U bugs in 9.1/10
- The bugs allowed arbitrary code to be executed; no exploitation has been observed so far
- Managed file transfer tools remain high-value targets
SolarWinds Serv-U, a popular file transfer solution for enterprise users, contained multiple high-severity vulnerabilities that allowed hackers to execute arbitrary code on the underlying system, the company warned.
In a recently published security advisory, SolarWinds detailed the flaws and released a patch to fix them.
The four defects received a severity rating of 9.1/10 (critical). They include a “broken access control RCE flaw” tracked as CVE-2025-40538, two type confusion RCE flaws (CVE-2025-40540 and CVE-2025-40539), and a “direct reference to unsafe object RCE flaw,” tracked as CVE-2025-40541.
There is no exploitation yet
SolarWinds credited its internal security team for finding the flaws and said all four were fixed in versions 15.5.4, inviting all customers to update immediately.
In a statement shared with The RegistryThe company said there is no evidence that these flaws have been abused in the wild: “We have not observed exploitation. We remain committed to monitoring the situation, working closely with customers and partners to ensure issues are resolved quickly. SolarWinds continues to prioritize rapid resolution of CVEs to ensure the security and integrity of our software,” the company told the publication.
At the time of this publication, the vulnerabilities also cannot be found in CISA’s catalog of known exploited vulnerabilities (KEV).
However, managed file transfer solutions have always been a major target for cyberattacks and, in multiple cases in the past, have been at the center of major hacking events.
Perhaps the most famous is the MOVEit fiasco, when in late May 2023, Russian Cl0p ransomware operators abused a critical zero-day. At the end of the year and early 2024, investigations and aggregated breach data showed that more than 2,700 organizations worldwide were affected by the attack.
A few months earlier, the same group attacked GoAnywhere, another managed file transfer solution, reportedly compromising 130 companies.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
