SolarWinds Serv-U: Privileged RCE flaws patched in 15.5.4

1. Executive Summary

On 24 February 2026, SolarWinds released Serv-U 15.5.4 to remediate four critical (CVSS 9.1) vulnerabilities that can enable remote code execution as root/administrator in Serv-U environments where an attacker already holds high-privilege access (for example, domain admin or group admin privileges). (documentation.solarwinds.com)

Defenders should treat this as a high-priority patch for any Serv-U instance exposed to untrusted networks, and assume these vulnerabilities may be chained with credential theft, admin compromise, or privilege escalation to achieve server-level execution. (documentation.solarwinds.com)

2. Contextual Background

2.1 Nature of the threat

SolarWinds’ Serv-U 15.5.4 release addresses:

• CVE-2025-40538 – broken access control leading to creation of a system admin user and RCE as root/administrator. (documentation.solarwinds.com)
• CVE-2025-40539 – type confusion leading to execution of arbitrary native code as a privileged account. (documentation.solarwinds.com)
• CVE-2025-40540 – type confusion leading to execution of arbitrary native code as a privileged account. (documentation.solarwinds.com)
• CVE-2025-40541 – IDOR leading to execution of native code as a privileged account. (documentation.solarwinds.com)

SolarWinds’ release notes and the corresponding NVD records indicate these issues require administrative privileges to abuse (CVSS vectors show PR:H), but can still yield root/admin execution once invoked. (documentation.solarwinds.com)

2.2 Threat-actor attribution

There is no public attribution linking these February 2026 CVEs to a specific actor at the time of writing. (documentation.solarwinds.com)

However, Serv-U has a documented history of exploitation in targeted operations. Microsoft reported 0-day exploitation of CVE-2021-35211 in Serv-U in limited and targeted attacks, attributing activity with high confidence to DEV-0322 (China-based), based on victimology and TTPs. Confidence: Confirmed (source-high). (Microsoft)

2.3 Sector and geographic targeting

Serv-U is positioned as self-hosted Windows and Linux file transfer software used to exchange files over common protocols (FTP/FTPS/SFTP/HTTP/S). File transfer infrastructure often becomes a high-value target because it typically brokers access to sensitive corporate and customer data, and is frequently internet-facing. (bleepingcomputer.com)

Microsoft’s reporting on prior Serv-U exploitation indicates targeted operations, including victimology consistent with China-nexus activity (DEV-0322). (Microsoft)

3. Technical Analysis

3.1 Vulnerability and likely attacker workflow (high level)

Across the four Serv-U 15.5.4 CVEs, the common operational outcome is code execution as a privileged account (root/administrator), but only after an attacker has obtained high privileges within Serv-U or the surrounding environment (for example, domain admin/group admin). (documentation.solarwinds.com)

Practical attacker workflows therefore tend to look like:

1. Obtain privileged access (stolen admin credentials, compromised IdP, helpdesk/service account abuse, or other privilege escalation).
2. Trigger the Serv-U flaw (broken access control, type confusion, or IDOR) to transition from “admin in the app” to native execution as root/admin on the host.
3. Establish persistence and expand access (web shells, scheduled tasks/services, SSH keys, credential dumping).
4. Data theft and/or ransomware in environments where Serv-U provides reach into sensitive repositories.

3.2 Exploitation status and PoC availability

• SolarWinds’ release notes for 15.5.4 and the NVD entries do not state that these CVEs are known exploited. (documentation.solarwinds.com)
• As a practical caution, public reporting notes Serv-U exposure on the internet at scale (counts vary by observer and change quickly), which can accelerate opportunistic targeting after patch publication. (bleepingcomputer.com)

4. Impact Assessment

4.1 Severity and scope

All four CVEs are scored CVSS 9.1 (Critical) in NVD (CNA: SolarWinds), with vectors indicating network reachability but requiring high privileges (PR:H). (nvd.nist.gov)

Impact if successfully abused includes:

• Server-level code execution as root/administrator. (documentation.solarwinds.com)
• Creation of privileged users (explicitly described for CVE-2025-40538), increasing the likelihood of durable persistence. (nvd.nist.gov)

4.2 Victim profile

Highest risk environments are those with:

• Internet-exposed Serv-U (particularly where privileged accounts are reused, weakly protected, or federated). (bleepingcomputer.com)
• Serv-U deployed in support of MFT workflows, external partner exchange, or customer document portals

5. Threat Intelligence Contextualisation

5.1 Similar past incidents

Serv-U has previously been exploited in targeted attacks. Microsoft reported 0-day exploitation of CVE-2021-35211, attributed with high confidence to DEV-0322 (China-based). (Microsoft)

Serv-U also appeared in CISA’s known-exploited ecosystem through CVE-2024-28995 (path traversal), which is recorded as present in the CISA KEV catalogue. (nvd.nist.gov)

5.2 MITRE ATT&CK mapping (observed/likely behaviours)

6. Mitigation Recommendations

6.1 Hardening steps

• Restrict Serv-U administration interfaces to dedicated management networks or VPN, and enforce MFA for all privileged accounts.
• Apply least privilege and remove shared admin credentials.
• Implement alerting on:
  • new admin users
  • admin role changes
  • configuration changes on Serv-U
  • anomalous process execution on the Serv-U host

6.2 Patch management advice

• Upgrade to Serv-U 15.5.4 to remediate CVE-2025-40538/40539/40540/40541. (documentation.solarwinds.com)
• Prioritise based on CVSS Critical (9.1) and exposure (internet-facing, privileged admin access patterns). (nvd.nist.gov)
• EPSS: public EPSS scoring may lag newly published CVEs; if you operationalise EPSS, re-check once scores appear for these CVEs.

7. Historical Context & Related Vulnerabilities

• CVE-2024-28995 (Serv-U path traversal) is listed as exploited in the wild via CISA KEV and affects Serv-U versions up to (excluding) 15.4.2 per NVD CPE data. (nvd.nist.gov)
• CVE-2021-35211 (Serv-U SSH RCE) was patched by SolarWinds in July 2021 and was used in targeted attacks attributed to DEV-0322 by Microsoft. (SolarWinds)
• In November 2025, SolarWinds also addressed Serv-U code execution issues in 15.5.3 (CVE-2025-40547/40548/40549), indicating an ongoing vulnerability cadence in this product family. (documentation.solarwinds.com)

8. Future Outlook

Even when exploitation requires high privileges, Serv-U vulnerabilities remain attractive because attackers can:

• Convert stolen privileged credentials into host-level execution, bypassing some defensive assumptions about “admin access equals app control only”.
• Target Serv-U as a staging point for data theft and extortion, particularly where it bridges internal repositories and external counterparties.

Expect follow-on activity after disclosure including opportunistic scanning for exposed Serv-U servers, credential stuffing against admin portals, and chaining with other privilege escalation paths.

9. Further Reading

• SolarWinds Serv-U 15.5.4 release notes (fixed CVEs) (documentation.solarwinds.com)
• NVD: CVE-2025-40538 (nvd.nist.gov)
• NVD: CVE-2025-40539 (nvd.nist.gov)
• NVD: CVE-2025-40540 (nvd.nist.gov)
• NVD: CVE-2025-40541 (nvd.nist.gov)
• Microsoft deep-dive on Serv-U CVE-2021-35211 exploitation (DEV-0322 attribution) (Microsoft)
• CISA alert on CVE-2021-35211 (cisa.gov)
• NVD: CVE-2024-28995 (KEV-listed Serv-U path traversal) (nvd.nist.gov)
• CISA KEV (GitHub mirror JSON, catalog version and entries) (GitHub)