Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202602-00000015

[Content Description]
SolarWinds Serv-U is a server software for secure file transfer, supporting multiple protocols such as FTP, FTPS, and SFTP. It features an easy-to-use management interface and supports cross-platform and cross-device access. Recently, SolarWinds released information that its Serv-U product contains four critical cybersecurity vulnerabilities.

【CVE-2025-40538, CVSS: 9.1】 This is an access control vulnerability that allows attackers to create a system administrator account and execute arbitrary code with privileged accounts through domain administrator or group administrator privileges.

【CVE-2025-40539, CVSS: 9.1】 This is a type obfuscation vulnerability that allows attackers to execute arbitrary native code with privileged accounts.

【CVE-2025-40540, CVSS: 9.1】This is a type obfuscation vulnerability that allows an attacker to execute arbitrary native code with a privileged account.

【CVE-2025-40541, CVSS: 9.1】This is an insecure direct object reference (IDOR) vulnerability that allows an attacker to execute arbitrary native code with a privileged account.

[Affected Platforms]
SolarWinds Serv-U version 15.5

[Recommended Actions]
Please update to the following version: SolarWinds Serv-U 15.5.4 or later