Patch these 4 critical, make-me-root SolarWinds bugs ASAP

If you run SolarWinds’ Serv-U, you should patch promptly. Four critical vulnerabilities in the file transfer software can allow attackers to execute code as root.

The four flaws, all of which earned a 9.1 CVSS rating, include a broken access control vulnerability (CVE-2025-40538), two type confusion bugs (CVE-2025-40540 and CVE-2025-40539), and an Insecure Direct Object Reference (IDOR) issue (CVE-2025-40541), all of which can lead to remote code execution (RCE).

The most serious of the four, CVE-2025-40538, "gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges," according to the vendor's security advisory.

Updating to the latest version, Serv-U 15.5.4, patches all four security holes.

In a statement to The Register, SolarWinds said, "We are aware of the reported issues and successfully addressed them as part of the Serv-U 15 ...