SolarWinds has released urgent patches for four critical vulnerabilities affecting ServU 15.5. All flaws are rated CVSS 9.1 and can allow an attacker with sufficient privileges to execute arbitrary code as root, potentially taking full control of affected systems. The issues are resolved in ServU version 15.5.4.

Although these vulnerabilities require administrative or high privileges to exploit, ServU remains a historically attractive target for threat actors, including ransomware operators and state aligned intrusion groups. The widespread use of ServU for secure file transfer, combined with the high number of internetexposed servers, greatly increases the potential impact.

Affected Product

SolarWinds ServU File Transfer Software

  • Versions impacted: ServU 15.5 (prior to 15.5.4)
  • Fixed in: ServU 15.5.4, released February 24, 2026
  • Upgrade ServU to 15.5.4 without delay.
  • This release fully addresses all four critical vulnerabilities.
  • Audit accounts with domain admin / group admin rights
  • Rotate credentials for privileged users
  • Enforce MFA on all admin accounts
  • Review which ServU services are internet facing
  • Restrict external connectivity where possible
  • Place ServU behind a reverse proxy or VPN boundary
  • Monitor for unusual admin user creation
  • Track suspicious root-level process execution
  • Enable file integrity monitoring for ServU directories
  • Ensure ServU logs are centralized and monitored
  • Alert on changes to user accounts or configuration files

ServU supports FTP, FTPS, SFTP, and HTTP/S, and is widely integrated in secure file exchange workflows.

SolarWinds ServU Critical Vulnerabilities (February 2026)

CVE

Type of Vulnerability

Impact / What Attackers Can Do

Privilege Required

CVE202540538

Broken Access Control

Allows attacker to create system admin accounts and execute arbitrary code as root

High privileges (domain admin / group admin)

CVE202540539

Type Confusion

Enables execution of arbitrary native code as root

High privileges

CVE202540540

Type Confusion

Enables execution of arbitrary native code as root

High privileges

CVE202540541

Insecure Direct Object Reference (IDOR)

Allows triggering operations that lead to root level native code execution

High privileges

Mitigation & Recommended Actions

1. Patch Immediately

  • Upgrade ServU to 15.5.4 without delay.
  • This release fully addresses all four critical vulnerabilities.

2. Review Administrative Privileges

Because exploitation requires high-level access:

  • Audit accounts with domain admin / group admin rights
  • Rotate credentials for privileged users
  • Enforce MFA on all admin accounts

3. Reduce External Exposure

  • Review which ServU services are internet facing
  • Restrict external connectivity where possible
  • Place ServU behind a reverse proxy or VPN boundary

4. Increase Monitoring

Even though no current exploitation is observed, organisations should:

  • Monitor for unusual admin user creation
  • Track suspicious root-level process execution
  • Enable file integrity monitoring for ServU directories

5. Validate Logging and Alerting

  • Ensure ServU logs are centralised and monitored
  • Alert on changes to user accounts or configuration files

 If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternativelyGet in touchto find out how you can protect your organisation. 

 

Contact Us