Security Advisory: Critical SolarWinds ServU Vulnerabilities

Written by Integrity360 | Feb 25, 2026 3:20:38 PM

SolarWinds has released urgent patches for four critical vulnerabilities affecting ServU 15.5. All flaws are rated CVSS 9.1 and can allow an attacker with sufficient privileges to execute arbitrary code as root, potentially taking full control of affected systems. The issues are resolved in ServU version 15.5.4.

Although these vulnerabilities require administrative or high privileges to exploit, ServU remains a historically attractive target for threat actors, including ransomware operators and state aligned intrusion groups. The widespread use of ServU for secure file transfer, combined with the high number of internetexposed servers, greatly increases the potential impact.

Affected Product

SolarWinds ServU File Transfer Software

Versions impacted: ServU 15.5 (prior to 15.5.4)
Fixed in: ServU 15.5.4, released February 24, 2026
Upgrade ServU to 15.5.4 without delay.
This release fully addresses all four critical vulnerabilities.
Audit accounts with domain admin / group admin rights
Rotate credentials for privileged users
Enforce MFA on all admin accounts
Review which ServU services are internet facing
Restrict external connectivity where possible
Place ServU behind a reverse proxy or VPN boundary
Monitor for unusual admin user creation
Track suspicious root-level process execution
Enable file integrity monitoring for ServU directories
Ensure ServU logs are centralized and monitored
Alert on changes to user accounts or configuration files

ServU supports FTP, FTPS, SFTP, and HTTP/S, and is widely integrated in secure file exchange workflows.

SolarWinds ServU Critical Vulnerabilities (February 2026)

CVE	Type of Vulnerability	Impact / What Attackers Can Do	Privilege Required
CVE202540538	Broken Access Control	Allows attacker to create system admin accounts and execute arbitrary code as root	High privileges (domain admin / group admin)
CVE202540539	Type Confusion	Enables execution of arbitrary native code as root	High privileges
CVE202540540	Type Confusion	Enables execution of arbitrary native code as root	High privileges
CVE202540541	Insecure Direct Object Reference (IDOR)	Allows triggering operations that lead to root level native code execution	High privileges

Mitigation & Recommended Actions

1. Patch Immediately

Upgrade ServU to 15.5.4 without delay.
This release fully addresses all four critical vulnerabilities.

2. Review Administrative Privileges

Because exploitation requires high-level access:

Audit accounts with domain admin / group admin rights
Rotate credentials for privileged users
Enforce MFA on all admin accounts

3. Reduce External Exposure

Review which ServU services are internet facing
Restrict external connectivity where possible
Place ServU behind a reverse proxy or VPN boundary

4. Increase Monitoring

Even though no current exploitation is observed, organisations should:

Monitor for unusual admin user creation
Track suspicious root-level process execution
Enable file integrity monitoring for ServU directories

5. Validate Logging and Alerting

Ensure ServU logs are centralised and monitored
Alert on changes to user accounts or configuration files

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.

View full post