Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | SolarWinds Serv-U 15.5.4 Fixes Four Privileged RCE Vulnerabilities
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20253: CISA Warns of Actively Exploited Splunk Enterprise RCE
CVE-2026-20253: CISA Warns of Actively Exploited Splunk Enterprise RCE
Jun 19, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-42530 & CVE-2026-42055: F5 Patches NGINX Vulnerabilities
CVE-2026-42530 & CVE-2026-42055: F5 Patches NGINX Vulnerabilities
Jun 19, 2026
SOCRadar® Cyber Intelligence Inc. | SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
Jun 17, 2026
SOCRadar® Cyber Intelligence Inc. | FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
Jun 17, 2026
SOCRadar® Cyber Intelligence Inc. | May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
Jun 16, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Feb 25, 2026
5 Mins Read
Moon

SolarWinds Serv-U 15.5.4 Fixes Four Privileged RCE Vulnerabilities

SolarWinds has released Serv-U 15.5.4 to address four high-impact vulnerabilities affecting Serv-U 15.5. While these issues require administrative privileges to exploit, they can ultimately lead to privileged native code execution. Organizations running vulnerable versions should act quickly to patch and review administrative access.

This article explains what CVE-2025-40538 through CVE-2025-40541 in SolarWinds Serv-U enable, which environments face the highest risk, and what security teams should do next.

What Are the Latest SolarWinds Serv-U Vulnerabilities?

SolarWinds patched four distinct vulnerabilities in Serv-U 15.5, all carrying CVSS score of 9.1. Although they involve different bug classes, they share a common outcome: an attacker with high privileges can execute native code in a privileged context.

CVE-2025-40538: Improper Privilege Management

This vulnerability stems from broken access control. An attacker with sufficient privileges can create a system administrator account and use that access to execute arbitrary code at a privileged or root level.

The ability to create new administrative users makes this issue especially sensitive from both prevention and detection perspectives.

Details of CVE-2025-40538 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-40538 (SOCRadar Vulnerability Intelligence)

CVE-2025-40539 and CVE-2025-40540: Type Confusion Vulnerabilities

Both vulnerabilities involve type confusion flaws. An attacker with administrative access can exploit these weaknesses to trigger arbitrary native code execution in a privileged context.

Although exploitation requires high privileges, successful abuse allows reliable operating system-level payload execution.

CVE-2025-40541: Authorization Bypass via IDOR

This issue resembles an Insecure Direct Object Reference (IDOR) vulnerability. By manipulating a user-controlled key, an attacker with sufficient privileges can bypass authorization checks and achieve native code execution as a privileged or root-level account.

What Are the Affected and Fixed Versions?

  • Affected version: SolarWinds Serv-U 15.5
  • Fixed version: Serv-U 15.5.4 (released February 24, 2026)

If you operate Serv-U 15.5, you should consider your environment exposed until you upgrade to 15.5.4 and confirm the update completed successfully across all nodes and components.

Why Admin-Required RCE Still Poses Serious Risk

All four vulnerabilities require high privileges (PR:H). In practice, this means an attacker needs valid Serv-U administrative credentials or an existing privileged foothold.

However, this requirement does not eliminate risk. Administrative credentials are common targets for phishing, password reuse attacks, credential stuffing, and post-compromise lateral movement.

If attackers obtain admin access, these vulnerabilities can help them:

  • Execute operating system–level payloads beyond application controls
  • Establish persistence through services, scheduled tasks, or startup entries
  • Extract sensitive data from the host or connected storage
  • Use the Serv-U server as a pivot point for lateral movement

Why CVE-2025-40538 Deserves Extra Attention

CVE-2025-40538 explicitly enables system administrator account creation. That capability increases both the impact and the detection surface.

Security teams should treat unexpected administrator creation events as high-priority alerts. Monitoring changes to administrative roles and privileges can help identify misuse before deeper compromise occurs.

Is There Evidence of Active Exploitation?

At the time of writing:

  • SolarWinds has not reported observed in-the-wild exploitation.
  • There are no widely confirmed reports of active exploitation.
  • No broadly distributed public Proof-of-Concept (PoC) exploit has been reported.

Still, the absence of public exploitation does not justify delay. Patch releases often attract researcher and attacker attention, especially when vulnerabilities enable privileged code execution.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

Don’t wait for attackers; see risk before they do. SOCRadar’s Cyber Threat Intelligence helps you:

  • Detect unpatched Serv-U assets running older versions
  • Monitor internet-reachable services tied to sensitive workflows
  • Prioritize remediation based on real exposure risk
  • Correlate potential credential compromise with high-risk admin access paths

Leverage continuous vulnerability intelligence, asset context scoring, and threat signals so you can patch smart, not just fast.

Which Environments Face Higher Exposure?

Your risk increases if any of the following conditions apply:

  • Serv-U is internet-facing, particularly administrative interfaces
  • Administrative accounts lack MFA or strong access controls
  • The organization has a history of credential exposure or weak password policies
  • Serv-U supports managed file transfer processes tied to sensitive or regulated systems

Because exploitation requires administrative access, the key question becomes: How difficult would it be for an attacker to obtain or reuse Serv-U admin credentials in your environment?

What Security Teams Should Do Now

  1. Upgrade to Serv-U 15.5.4 Immediately

Apply the patch as a priority action. Do not treat this as optional hardening.

After upgrading, verify that all instances and components reflect the updated version.

  1. Restrict Administrative Access

Limit administrative interface exposure to:

  • Trusted internal networks
  • VPN-only access paths
  • Dedicated management segments

Implement MFA wherever possible and review conditional access controls.

  1. Hunt for Suspicious Administrative Activity

Prioritize investigation of:

  • Newly created Serv-U administrator accounts
  • Unexpected privilege escalations
  • Unusual login times or unfamiliar source IP addresses
  • Geo-impossible login patterns
  1. Rotate Credentials If Exposure Is Suspected

If you detect suspicious administrative behavior, reset credentials immediately. Invalidate active sessions and review upstream identity providers if Serv-U integrates with centralized authentication.

  1. Patch and Verify

Adopt a “patch and verify” model. Confirm the update applied successfully everywhere, validate access controls, and maintain enhanced monitoring until you rule out pre-patch compromise.