Patch these 4 critical, make-me-root SolarWinds bugs ASAP

Steven

Patch these 4 critical, make-me-root SolarWinds bugs ASAP

Summary

If you run SolarWinds Serv-U, patch immediately. Four critical vulnerabilities (all rated 9.1 CVSS) — CVE-2025-40538 (broken access control), CVE-2025-40540 and CVE-2025-40539 (type confusion bugs), and CVE-2025-40541 (IDOR) — can lead to remote code execution and allow attackers to gain root or create a system administrator account. SolarWinds has released Serv-U 15.5.4 to address all four issues. The vendor reports no observed exploitation so far and is monitoring the situation; CISA has not yet added these CVEs to its Known Exploited Vulnerabilities catalogue.

Key Points

  • Four Serv-U flaws scored 9.1 CVSS can result in remote code execution and elevation to root.
  • CVE-2025-40538 is the most serious: it can let an attacker create a system admin user and execute code as a privileged account.
  • The set comprises a broken access control issue, two type confusion bugs, and an Insecure Direct Object Reference (IDOR).
  • Serv-U 15.5.4 contains the fixes — administrators should upgrade as soon as possible.
  • All four vulnerabilities require administrative privileges to be abused; nevertheless, file‑transfer products are high‑value targets because they store and move sensitive files.

Why should I read this?

Short and blunt: if you run Serv-U, this affects you. These are high‑severity, make‑me‑root bugs that attackers love because of the sensitive data flowing through file‑transfer servers. Patch now — we’ve done the reading so you don’t have to hunt down the CVEs and the fixed version.

Source

Source: https://www.theregister.com/2026/02/24/patch_these_4_critical_makemeroot/