Serv-U Broken Access Control RCE (CVE-2025-40538)

Patch now - CVE-2025-40538 is a critical privilege escalation flaw in Serv-U file transfer software that lets an attacker with domain or group admin permissions create a system admin account and execute arbitrary code on the host. Apply the vendor-supplied fix without delay.

Overview

A critical security flaw has been identified in Serv-U file transfer software. This vulnerability involves broken access control, allowing a user with specific administrative permissions to create a new, fully privileged system administrator account and execute arbitrary code on the host system.

Vulnerability Explanation

In simple terms, this is a severe privilege escalation flaw. A malicious actor who has already compromised a “domain admin” or “group admin” account within Serv-U can abuse these legitimate permissions in an unintended way. They can exploit this flaw to create a new “system admin” user account with the highest level of access. This new account can then be used to run any code or commands on the underlying server with elevated privileges.

It is crucial to note that exploiting this vulnerability requires the attacker to first obtain administrative credentials within Serv-U (domain or group admin). It cannot be exploited by a standard, unprivileged user.

Potential Impact

If successfully exploited, this vulnerability gives an attacker complete control over the Serv-U instance and the host operating system. The attacker can:

• Steal, modify, or delete all files managed by the Serv-U service.
• Install malicious software, such as ransomware or backdoors.
• Use the compromised server as a foothold to attack other systems on the network.
• Achieve persistent access by creating new, hidden administrator accounts.

The overall severity is rated as CRITICAL with a CVSS score of 9.1. For Windows deployments where Serv-U often runs under a less-privileged service account, the immediate risk of full system compromise may be reduced, scoring the local risk as Medium. However, the impact on the Serv-U application and all data it manages remains critical.

Remediation and Mitigation Advice

The primary and most urgent action is to apply the official security patch.

1. Immediate Patching: All users of affected Serv-U versions must upgrade to the latest version provided by the vendor (SolarWinds). Consult the official SolarWinds security advisory for the specific fixed versions and download links.

2. Principle of Least Privilege: Review and tighten the assignment of administrative roles within Serv-U. Ensure that only absolutely necessary personnel hold Domain Admin or Group Admin privileges. Regularly audit these accounts for suspicious activity.

3. Network Security: Restrict network access to the Serv-U administration interfaces. Ensure they are not exposed directly to the internet and are only accessible from trusted, internal networks.

4. Credential Hygiene: Enforce strong, unique passwords for all Serv-U administrative accounts and consider integrating with centralized identity management where possible.

5. Monitoring: Increase monitoring of authentication logs and user management events within Serv-U for any unauthorized creation or modification of administrator accounts.

Reference: CVE-2025-40538