SolarWinds this week announced patches for three critical vulnerabilities found in its Serv-U enterprise file transfer solution.
One of the flaws, tracked as CVE-2025-40549, has been described as a path restriction bypass issue that can be exploited by a threat actor with administrator privileges to execute arbitrary code on a directory.
The vendor pointed out that on Windows systems the vulnerability has a ‘medium severity’ rating due to “differences in how paths and home directories are handled”.
The second vulnerability is CVE-2025-40548, a broken access control issue that can be exploited by an attacker with admin privileges to execute arbitrary code.
The third flaw, CVE-2025-40547, is a logic error that can be exploited for code execution by an attacker with admin permissions.
For both CVE-2025-40547 and CVE-2025-40548, SolarWinds noted that their severity rating is ‘medium’ on Windows because services often run by default under less-privileged accounts.
The three security holes affect SolarWinds Serv-U 15.5.2.2.102 and they have been patched with the release of version 15.5.3.
SolarWinds this week also announced patches for medium-severity open redirection and XSS vulnerabilities in Observability Self-Hosted.
It’s not uncommon for threat actors to exploit SolarWinds product vulnerabilities in their attacks, including Serv-U flaws.
The Known Exploited Vulnerabilities (KEV) catalog maintained by the cybersecurity agency CISA currently includes seven SolarWinds flaws, including ones impacting Web Help Desk, Orion, Virtualization Manager, and Serv-U.
Related: SolarWinds Makes Third Attempt at Patching Exploited Vulnerability
Related: CISA Flags Critical SolarWinds Web Help Desk Bug for In-the-Wild Exploitation
Related: SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester
Related: SolarWinds Patches Critical Vulnerability in Access Rights Manager
