SolarWinds Patches Three Critical Serv-U Vulnerabilities

SolarWinds this week announced patches for three critical vulnerabilities found in its Serv-U enterprise file transfer solution. 

One of the flaws, tracked as CVE-2025-40549, has been described as a path restriction bypass issue that can be exploited by a threat actor with administrator privileges to execute arbitrary code on a directory.

The vendor pointed out that on Windows systems the vulnerability has a ‘medium severity’ rating due to “differences in how paths and home directories are handled”.

The second vulnerability is CVE-2025-40548, a broken access control issue that can be exploited by an attacker with admin privileges to execute arbitrary code.

The third flaw, CVE-2025-40547, is a logic error that can be exploited for code execution by an attacker with admin permissions.

For both CVE-2025-40547 and CVE-2025-40548, SolarWinds noted that their severity rating is ‘medium’ on Windows because services often run by default under less-privileged accounts.

The three security holes ...