Patch these 4 critical, make-me-root SolarWinds bugs ASAP
The Register
February 24, 2026
AI-Generated Deep Dive Summary
SolarWinds has identified four critical vulnerabilities in its Serv-U file transfer software that could allow attackers to execute code as root, potentially leading to system compromise. These flaws, each assigned a CVSS score of 9.1, include a broken access control issue (CVE-2025-40538), two type confusion bugs (CVE-2025-40540 and CVE-2025-40539), and an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2025-40541). The most severe of these, CVE-2025-40538, enables attackers to create a system admin user and execute arbitrary code with elevated privileges. SolarWinds has released Serv-U 15.5.4 to address all four vulnerabilities, urging customers to update immediately.
While none of the new CVEs have been added to CISA's Known Exploited Vulnerabilities list yet, the company has previously disclosed that similar Serv-U bugs were exploited in ransomware attacks. The software remains a high-value target due to its use in transferring sensitive enterprise data like financial records and intellectual property. This makes it a prime target for attackers seeking access to valuable assets within organizations.
SolarWinds emphasized its commitment to addressing security issues promptly, stating that it has not observed active exploitation of these specific flaws. However, the rapid disclosure and patching of vulnerabilities highlight the importance of staying updated with software patches to mitigate risks. The company also referenced
Verticals
tech
Originally published on The Register on 2/24/2026