Vulnerability

CERT-In Vulnerability Note CIVN-2026-0101
Multiple Vulnerabilities in SolarWinds Serv-U

Original Issue Date:February 26, 2026

Severity Rating: CRITICAL

Software Affected

SolarWinds Serv-U Version 15.5.3 and prior

Overview

Multiple vulnerabilities have been reported in SolarWinds Serv-U which could allow an attacker to execute arbitrary code on the targeted system.

Target Audience:
All organizations and individuals using SolarWinds Serv-U products.

Risk Assessment:
Critical risk of unauthorized administrative access, authentication bypass, privilege escalation, arbitrary code execution and full system compromise.

Impact Assessment:
Potential for arbitrary code execution, system configuration manipulation, data exposure and gaining unauthorized access.

Description

SolarWinds Serv-U is an enterprise-grade managed file transfer (MFT) solution used for secure file exchange across networks.

These vulnerabilities exist in SolarWinds Serv-U due to improper access control and logic handling flaws. An attacker with administrative privileges could exploit these vulnerabilities to execute arbitrary code on the affected system.

Solution

Apply appropriate updates as mentioned by the vendor:
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40538

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40539

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40540

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40541

Vendor Information

SolarWinds
https://www.solarwinds.com/trust-center/security-advisories

References

SolarWinds
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40538
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40539
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40540
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40541

CVE Name
CVE-2025-40538
CVE-2025-40539
CVE-2025-40540
CVE-2025-40541

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India