Critical SolarWinds Serv-U Vulnerabilities Grant Attackers Root Access
SolarWinds has released an urgent security update for its Serv-U file server software, addressing multiple critical vulnerabilities that could allow attackers to fully compromise affected systems. The latest release, Serv-U version 15.5.4, rectifies four high-severity security flaws, each assigned a CVSS score of 9.1. These vulnerabilities are particularly alarming as they enable remote code execution, granting attackers the highest level of administrative control over the targeted infrastructure.
Serv-U Vulnerabilities Enable Root Access
The newly disclosed security flaws deeply affect the core functionality of the Serv-U application, enabling arbitrary native code execution with root privileges. Among the most severe issues is a broken access control vulnerability that permits attackers with domain or group admin privileges to create a system admin user.
Once this unauthorized system-admin account is established, the attacker can execute malicious commands with root privileges. Additionally, the software suffers from two distinct type confusion vulnerabilities. These memory corruption flaws provide a direct pathway for an attacker to run unauthorized native code as root.
Furthermore, the update addresses an Insecure Direct Object Reference (IDOR) vulnerability. This specific flaw allows attackers to bypass authorization mechanisms by directly accessing internal objects, which, in turn, results in remote code execution with root privileges.
Because these vulnerabilities provide complete system control, threat actors could use them to deploy ransomware, steal sensitive enterprise data, or establish persistent backdoors within corporate networks.
Product Enhancements and Update Recommendations
Alongside these critical security patches, Serv-U version 15.5.4 introduces several functional improvements and platform support updates. The application now officially supports Ubuntu 24.04 LTS, expanding its deployment flexibility in enterprise environments.
SolarWinds has also reintroduced the download history feature in File Share, aligning it with the legacy web client capabilities. Additionally, the file share interface now includes a precise time display next to the last modified date.
To further harden the application against modern web threats, SolarWinds implemented strict content security policy configurations. The legacy login page now utilizes specific directives to prevent the application from being maliciously embedded in other websites, neutralizing potential clickjacking attacks.
Administrators using previous versions of Serv-U should consult the end-of-life schedule, as earlier versions, such as 15.5.1, reached the end of engineering support by February 18, 2026. Organizations must download the latest installation files from the customer portal to ensure their infrastructure remains secure against these critical remote code execution threats.
