Vulnerability

CERT-In Vulnerability Note CIVN-2025-0337
Multiple Vulnerabilities in SolarWinds Products

Original Issue Date:November 24, 2025

Severity Rating: HIGH

Software Affected

SolarWinds Observability Self-Hosted 2025.4 and prior versions
SolarWinds Serv-U 15.5.2.2.102

Overview

Multiple vulnerabilities have been reported in SolarWinds products which could allow a remote attacker to execute Cross-Site Scripting (XSS) attacks, manipulate strings to redirect users to malicious sites, and inject malicious code, potentially leading to unauthorized data access and privilege escalation on the targeted system.

Target Audience:
All organizations and individuals using SolarWinds products.

Risk Assessment:
High risk of data theft, full system compromise.

Impact Assessment:
Potential for remote code execution, which may lead to complete system compromise.

Description

SolarWinds Observability Self-Hosted is a platform that allows users to monitor their systems and applications, providing detailed metrics and analytics for operational insights. It is typically used by IT operations, DevOps teams, and system administrators for performance management whereas, SolarWinds Serv-U is a FTP server software for secure, automated, centralized file transfers, supporting FTP, FTPS, SFTP, and HTTP/S, and remote management.

Multiple vulnerabilities exist in SolarWinds products due to insufficient sanitization of user-supplied data in URL fields, missing validation process, logic error vulnerability, restriction-bypass vulnerability, and open redirection flaw.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute Cross-Site Scripting (XSS) attacks, manipulate strings to redirect users to malicious sites, and inject malicious code, potentially leading to unauthorized data access and privilege escalation on the targeted system.

Solution

Apply appropriate fix/patches as mentioned in SolarWinds advisory:
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26391

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40545

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40549

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40548

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40547

Vendor Information

SolarWinds
https://www.solarwinds.com/trust-center/security-advisories

References

SolarWinds
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26391
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40545
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40549
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40548
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40547

CVE Name
CVE-2025-40545
CVE-2025-40547
CVE-2025-40548
CVE-2025-40549
CVE-2025-26391

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India