Print - 【Vulnerability Alert】Three critical security vulnerabilities (CVE-2025-40547) (CVE-2025-40548) (CVE-2025-40549) have been identified in SolarWinds Serv-U software.

【Vulnerability Alert】Three critical security vulnerabilities (CVE-2025-40547) (CVE-2025-40548) (CVE-2025-40549) have been identified in SolarWinds Serv-U software.

publish date : 2025-11-21 update date : 2025-11-21

Source: Ministry of education information & communication security contingency platform

"" "" ""


Publication Number	TACERT-ANA-2025111903113535	Publication Time	2025/11/19 15:04
Incident Type	ANA-Vulnerability Alert	Discovery Time	2025/11/19 15:04
Impact Level	Low
[Subject] 【Vulnerability Alert】Three critical security vulnerabilities (CVE-2025-40547) (CVE-2025-40548) (CVE-2025-40549) have been identified in SolarWinds Serv-U software.
[Content] Forwarded from TWCERTCC-200-202511-00000016 SolarWinds Serv-U is a server software designed for secure file transfer, supporting multiple protocols such as FTP, FTPS, and SFTP. It offers an easy-to-use management interface and supports cross-platform and cross-device access. Recently, SolarWinds announced that its Serv-U product contains three critical security vulnerabilities. 【CVE-2025-40547, CVSS: 9.1】 This is a logic error vulnerability that may allow an attacker with administrator privileges to execute code. 【CVE-2025-40548, CVSS: 9.1】 This is a missing validation process vulnerability that may allow an attacker with administrator privileges to execute code. 【CVE-2025-40549, CVSS: 9.1】 This is a path restriction bypass vulnerability that may allow an attacker with administrator privileges to execute code within directories. Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform] SolarWinds Serv-U version 15.5.2.2.102
[Recommended Actions] Please update to the following version: SolarWinds Serv-U version 15.5.3.
[Reference] https://www.twcert.org.tw/tw/cp-169-10519-a28f7-1.html

(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw

Organizer: Computer Center