SolarWinds has released updates to address four critical security flaws in its Serv-U file transfer software that, if successfully exploited, could result in remote code execution.

The vulnerabilities, all rated 9.1 on the CVSS scoring system, are listed below -

• CVE-2025-40538 - A broken access control vulnerability that allows an attacker to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges.
• CVE-2025-40539 - A type confusion vulnerability that allows an attacker to execute arbitrary native code as root.
• CVE-2025-40540 - A type confusion vulnerability that allows an attacker to execute arbitrary native code as root.
• CVE-2025-40541 - An insecure direct object reference (IDOR) vulnerability that allows an attacker to execute native code as root.