SolarWinds has issued updates to address three critical vulnerabilities in its Serv-U file transfer software. If left unpatched, these flaws could allow an attacker with administrator-level access to execute arbitrary code on the underlying server. 

What’s Affected 

• Products: Serv-U Managed File Transfer, Serv-U File Server 

• Patched Version: 15.5.3 (released November 18, 2025) 

• Vulnerabilities: CVE-2025-40547, CVE-2025-40548, CVE-2025-40549 

• Severity: Critical (CVSS 9.1) 

Why This Matters 

Although exploitation requires valid administrator credentials, an attacker who obtains them through credential theft, brute-force attempts, or other compromises could gain full control of the system. From there, they could deploy malware, access or exfiltrate sensitive data, or use the compromised server as a foothold into the rest of the network. 
Organizations with internet-exposed Serv-U instances should treat this as particularly urgent. 

Indicators of Compromise (IOCs) 

Host & File System 

• Newly created or unexpected executable files or scripts in the Serv-U installation path (C:\Program Files\SolarWinds\Serv-U\ or Linux equivalents) 

• New or modified webshells, unusual DLL/JAR changes, or unexpected scheduled tasks/services 

• Unexplained configuration changes or suspicious files in upload directories 

Processes & Network 

• Serv-U spawning unusual child processes 

• Outbound connections from the Serv-U host to unknown external IPs or domains 

• Large or unexpected file transfers originating from the Serv-U server 

Logs & Authentication 

• Unusual administrative logins (e.g., from unfamiliar IPs or accounts) 

• Repeated failed login attempts or unexpected privilege escalations 

• Administrative activity outside normal business hours 

Example Hunt Queries 

• EDR:  

- Identify child processes spawned by the Serv-U service 

- Search for persistence mechanisms like registries or scheduled tasks 

- List files created or modified in the Serv-U directory within the last N days 

• Network: 

- List outbound connections from the Serv-U host and check reputation 

- Large or unusual data transfers originating to and from the Serv-U server 

Recommended Actions 

• Update to Serv-U 15.5.3 immediately. 
• Rotate all Serv-U administrative credentials and enforce strong authentication (MFA where possible). 
• Limit external exposure by placing Serv-U behind VPNs or secure gateways. 
• Monitor logs closely for signs of unusual admin or process activity. 
• Review and exercise your incident response plan if compromise is suspected. 

Key Takeaway 

If you’re running Serv-U, apply the update without delay. Treat these vulnerabilities as a high-priority risk and verify that your environment is properly secured and monitored. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.