CVE‑2025‑40538 is a critical broken access control vulnerability in SolarWinds Serv‑U, a self‑hosted managed file transfer (MFT) and FTP/SFTP/FTPS/HTTP(S) server used for secure file exchange. Review the Cybersecurity Threat Advisory now to protect your systems from this critical vulnerability.
What is the threat?
CVE‑2025‑40538 is a critical access control vulnerability in SolarWinds Serv‑U that allows an attacker with domain admin or group admin–level privileges to create a Serv‑U system administrator account and run arbitrary code as a privileged (root/admin) user. SolarWinds rates the issue 9.1 (Critical) because exploitation requires high‑level administrative privileges, viable attacks are most likely to occur in scenarios involving stolen credentials or chained privilege escalation.
Why is it noteworthy?
This vulnerability is notable because it allows an attacker with domain admin or group admin privileges to escalate their foothold into full control of the Serv‑U server. Given that Serv‑U often stores or brokers access to sensitive business and customer data, compromise can have wide‑ranging impact.
While the requirement for administrative privileges limits opportunistic exploitation, the vulnerability significantly increases risk in cases where attackers already possess stolen admin credentials or can elevate access as part of a broader intrusion.
What is the exposure or risk?
The primary risk from CVE‑2025‑40538 is privileged code execution and full administrative takeover of the Serv‑U server. An attacker with domain admin or group admin privileges can exploit the broken access control to:
- Create a new Serv‑U system administrator user
- Execute arbitrary code as root/admin
- Fully control the Serv‑U host and its associated services
A compromised Serv‑U server could be used for unauthorized access to transferred or stored files, credential harvesting, persistence via new admin accounts, and lateral movement into other systems. This is especially true in environments where Serv‑U integrates with enterprise identity and file transfer workflows.
Although exploitation requires administrative privileges, this still represents meaningful risk for organizations where privileged credentials may be exposed or where attackers can escalate privileges during a multi‑stage intrusion.
What are the recommendations?
Barracuda strongly advises organizations to take the following immediate actions:
- Update SolarWinds Serv‑U to version 15.5.4, the release that addresses CVE‑2025‑40538 and remediates the broken access control issue.
- Restrict management access to Serv‑U to admin‑only networks (VPN/allow‑listed IPs), and ensure it is not administered from standard user workstations. Reduce the number of users with domain admin or group admin privileges and enforce MFA for all privileged access.
- Audit domain admin/group admin membership, apply least‑privilege principles, and monitor for privileged account usage on or against the Serv‑U server.
- Preserve and review Serv‑U and OS logs for indicators of exploitation. Especially unexpected creation of Serv‑U system administrator accounts or unanticipated privileged code execution. If suspicious activity is detected, isolate the server, reset affected credentials, and assess for unauthorized access to transferred or stored files.
- Inventory all Serv‑U deployments and identify internet‑exposed instances. Implement network segmentation to isolate Serv‑U servers from the broader environment. Place them behind firewalls, restrict inbound access, and limit connectivity only to required systems.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/
- https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm
- https://www.tenable.com/cve/CVE-2025-40538
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.