Critical RCE Vulnerability Discovered in SolarWinds Serv-U via IDOR (CVE-2025-40541)
In the ever-evolving landscape of cybersecurity threats, a new critical vulnerability has emerged in SolarWinds Serv-U, a popular file transfer server.
Designated CVE-2025-40541, this Insecure Direct Object Reference (IDOR) flaw allows attackers with administrative privileges to execute arbitrary native code remotely as a privileged account.
Published on February 24, 2026, it carries a CVSS v3.1 score of 9.1 (Critical), calculated as CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A: H. The high impact stems from its scope (S: C) and from full triad exploitation (confidentiality, integrity, availability).
At its core, CVE-2025-40541 exploits poor access controls in Serv-U’s object handling. IDOR occurs when an application exposes internal object references, such as file paths, user IDs, or session tokens, without verifying the requesting user’s authorization. In Serv-U 15.5, admins can manipulate these references to access unauthorized resources, which can escalate to remote code execution (RCE).
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-40541 |
| Severity | 9.1 Critical |
| CVSS Vector | CVSS:9.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| First Published | 02/24/2026 |
| Last Published | 02/24/2026 |
| Affected Product | SolarWinds Serv-U 15.5 |
| Fixed Version | Serv-U 15.5.4 |
Attackers leverage this by crafting requests to endpoints that directly reference server-side objects, such as configuration files or execution contexts. Successful exploitation bypasses intended restrictions, injecting and running native code (e.g., shell commands) under the server’s privileged context. On Windows, services often run as low-privilege accounts like NETWORK SERVICE, mitigating to “medium” risk; Linux/Unix deployments under root amplify the threat.
Consider a typical Serv-U deployment. The vulnerable component likely resides in the web management interface or API handlers (exact paths undisclosed pending full disclosure).
Without proper IDOR mitigations, such as indirect reference maps or server-side ownership checks, the server resolves the objectId directly, granting RCE. The CVSS vector highlights network accessibility (AV: N), low complexity (AC:L), high privileges required (PR: H), no user interaction (UI: N), and changed scope for broader impact.
Proof-of-concept exploits, if public, would demonstrate chaining this with enumeration to pivot from admin access to system compromise, potentially deploying malware or exfiltrating data.
Affected: SolarWinds Serv-U 15.5 (all hotfixes before 15.5.4).
Fixed: Upgrade to Serv-U 15.5.4, which patches reference validation.
- Restrict admin access via network segmentation.
- Enable logging/auditing for object reference calls.
- Deploy WAF rules blocking anomalous
objectIdpatterns. - Run services under least-privilege accounts (e.g., via
sc configon Windows.
This flaw echoes SolarWinds’ 2020 Orion breach, underscoring supply chain risks in enterprise tools. Organizations using Serv-U for secure file transfers face lateral movement risks post-initial access. Patch immediately delays invite targeted attacks from nation-states or ransomware groups.
Scan environments with tools like Nuclei or custom scripts targeting Serv-U banners. For developers, adopt OWASP IDOR prevention: use GUIDs for references, enforce authorization at every layer, and implement reference maps.
Site: cybersecuritypath.com
Reference: Source
About the Author
