轉發 台灣電腦網路危機處理暨協調中心 資安訊息警訊 TWCERTCC-200-202511-00000016

[內容說明]
SolarWinds Serv-U是一款用於安全文件傳輸的伺服器軟體，支援FTP、FTPS、SFTP等多種協議，具備易用的管理介面，並支援跨平台與跨裝置存取等功能。日前，SolarWinds發布旗下產品Serv-U存在3個重大資安漏洞。
【CVE-2025-40547，CVSS：9.1】 此為邏輯錯誤漏洞，可能允許具有管理員權限的攻擊者可執行程式碼。
【CVE-2025-40548，CVSS：9.1】 此為缺失驗證過程漏洞，可能允許具有管理員的攻擊者可執行程式碼。
【CVE-2025-40549，CVSS：9.1】 此為路徑限制繞過漏洞，可能允許具有管理者權限的攻擊者，可在目錄上執行程式碼。

[影響平台]
SolarWinds Serv-U 15.5.2.2.102版本

[建議措施]
請更新至以下版本： SolarWinds Serv-U 15.5.3版本

[參考資料]
1. https://www.twcert.org.tw/tw/cp-169-10519-a28f7-1.html

Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202511-00000016

[Content Description]
SolarWinds Serv-U is a server software for secure file transfer, supporting multiple protocols such as FTP, FTPS, and SFTP. It features an easy-to-use management interface and supports cross-platform and cross-device access. Recently, SolarWinds released information that its Serv-U product contains three critical cybersecurity vulnerabilities.

【CVE-2025-40547, CVSS: 9.1】 This is a logic error vulnerability that could allow an attacker with administrator privileges to execute code.

【CVE-2025-40548, CVSS: 9.1】 This is a missing verification procedure vulnerability that could allow an attacker with administrator privileges to execute code. 【CVE-2025-40549, CVSS: 9.1】 This is a path restriction bypass vulnerability that could allow an attacker with administrator privileges to execute code on a directory.

[Affected Platforms]
SolarWinds Serv-U version 15.5.2.2.102

[Recommended Actions]
Please update to the following version: SolarWinds Serv-U version 15.5.3

[References]
1. https://www.twcert.org.tw/tw/cp-169-10519-a28f7-1.html