Overview
- Four CVEs (CVE-2025-40538 to CVE-2025-40541) each score 9.1 and enable code execution as root or a privileged account, including a broken access control bug that can create a new system admin.
- Two flaws involve type confusion and one is an insecure direct object reference, all affecting Serv-U 15.5 and all remediated in version 15.5.4.
- Exploitation requires existing administrative access to Serv-U, heightening concern for stolen credentials or chained intrusions, with lower risk noted on Windows where services often run with reduced privileges.
- SolarWinds reports no observed exploitation to date and urges customers to update immediately to Serv-U 15.5.4.
- Exposure estimates vary widely, with Shodan finding over 12,000 internet-facing Serv-U servers and Shadowserver under 1,200, as CISA tracks SolarWinds issues though these CVEs are not in its KEV catalog.