SolarWinds Serv-U Broken Access Control Flaw Leads to RCE (CVE-2025-40538)
In a stark reminder of the critical role of access controls in secure file transfer systems, SolarWinds has patched a severe vulnerability in Serv-U that enables remote code execution (RCE) through broken access controls.
Dubbed CVE-2025-40538, this flaw allows attackers with administrative privileges to craft a system admin user and execute arbitrary code as a highly privileged account. Disclosed on February 24, 2026, it carries a CVSS v3.1 score of 9.1 (Critical), rated as CVSS:9.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A: H.
Serv-U, a popular managed file transfer (MFT) solution, suffers from improper enforcement of access controls in its user management and privilege escalation mechanisms.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-40538 |
| Severity | 9.1 Critical |
| CVSS v3.1 Vector | CVSS:9.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Description | Broken access control in Serv-U allows domain/group admins to create system admin users and achieve RCE as privileged accounts. Requires admin privileges; medium risk on Windows due to default service accounts. feedly+1 |
| CWE ID | CWE-269 (Improper Privilege Management) |
| Affected Product | SolarWinds Serv-U 15.5 |
| Fixed Version | Serv-U 15.5.4 |
| Published | February 24, 2026 |
Specifically, the flaw resides in how the application handles domain admin or group admin permissions during user creation and session management. An authenticated attacker with these elevated roles can bypass intended restrictions to:
- Create a rogue “system admin” user account with unrestricted privileges.
- Leverage this account to inject and execute arbitrary code on the host system.
The attack chain requires high-privilege access (PR: H in CVSS terms), making it a targeted threat against compromised admin credentials. Once exploited, the scope expands (S: C) due to Serv-U’s typical integration with Active Directory or local Windows domains, granting domain-wide impact.
This leads to a compromise of confidentiality (C: H), integrity (: H), and availability (A: He), such as data exfiltration, ransomware deployment, or lateral movement in enterprise networks.
On Windows deployments, the primary platform for Serv-U, the risk is tempered to “medium” in some assessments.
Services often run under least-privileged accounts, such as NETWORK SERVICE, by default, limiting the initial blast radius. However, misconfigurations or custom setups running as SYSTEM elevate the danger exponentially.
Serv-U Broken Access Control Flaw
The root cause lies in a flawed authorization check within Serv-U’s API endpoints for user provisioning (likely /api/users or equivalent). An admin with domain/group rights can submit a crafted POST request that omits or spoofs validation tokens, creating a user with the system_admin role, unbound by domain scopes.
Exploit flow:
- Authenticate as a domain/group admin via Serv-U’s web interface or API.
- Issue a user creation request with an elevated payload:
{"username": "malicious_sysadmin", "role": "system_admin", "domain_id": null}nullifying domain isolation. - Log in as the new user and invoke RCE via command injection in file transfer hooks or script execution features (e.g., event-driven automation rules).
- Execute payloads
cmd.exe /c whoami /privto confirm SYSTEM privileges, then pivot.
Proof-of-concept exploits, if public, would demonstrate this using tools like Burp Suite to intercept and modify JSON payloads. No user interaction (UI: N) or complex post-authentication preconditions (AC:L) are needed.
- Affected: SolarWinds Serv-U 15.5 (all hotfixes before 15.5.4).
- Fixed: Serv-U 15.5.4 update via release notes.
- Published: February 24, 2026 (MITRE CVE).
SolarWinds credits internal research for the discovery, with no known wild exploitation as of publication.
Patch immediately to 15.5.4 or later. Interim steps:
- Enforce the principle of least privilege: Avoid domain/group admin logins for routine tasks.
- Monitor logs for anomalous user creations (Event ID patterns in Serv-U audit trails).
- Segment Serv-U in isolated networks; use web application firewalls (WAF) to block suspicious API calls.
- Use tools like BloodHound for AD to map exposure.
- Enable Serv-U’s enhanced logging and integrate with SIEM for real-time alerts.
This incident underscores a perennial truth: Even “high-privilege required” flaws can cascade into catastrophes in AD-heavy environments. Organizations that rely on Serv-U for secure transfers should prioritize this update to prevent privilege abuse.
Site: cybersecuritypath.com
Reference: Source
About the Author
