好的,我现在需要帮用户总结这篇文章的内容,控制在100个字以内,并且不需要特定的开头。首先,我得通读整篇文章,抓住主要信息。 文章主要讲SolarWinds修复了Serv-U软件的四个关键漏洞,这些漏洞可能导致攻击者获得服务器的root权限。Serv-U是一个文件传输服务器软件,使用FTP等协议。四个漏洞分别是CVE-2025-40538、CVE-2025-40540、CVE-2025-40539和CVE-2025-40541,CVSS评分都是9.1,属于高危漏洞。 用户的需求是用中文总结,所以我要用简洁的语言概括这些内容。需要注意的是,不要使用“文章内容总结”之类的开头,直接描述即可。 可能的结构是:SolarWinds修复了Serv-U的四个关键漏洞,这些漏洞可能导致攻击者获得root权限。每个漏洞都属于高危,并且影响服务器安全。 现在把这些信息浓缩到100字以内。比如: SolarWinds修复了Serv-U中的四个关键漏洞(CVSS评分9.1),这些漏洞可能导致攻击者获得root权限并完全控制服务器。这些漏洞包括访问控制问题和类型混淆错误等。 这样既涵盖了主要信息,又符合字数限制。 </think> SolarWinds修复了Serv-U中的四个关键漏洞(CVSS评分9.1),这些漏洞可能导致攻击者获得root权限并完全控制服务器。这些漏洞包括访问控制问题和类型混淆错误等。 2026-2-24 20:7:24 Author: securityaffairs.com(查看原文) 阅读量:10 收藏
SolarWinds patches four critical Serv-U flaws enabling root access
Pierluigi Paganini
February 24, 2026
SolarWinds addressed four critical Serv-U vulnerabilities that could let attackers gain root access to unpatched servers.
SolarWinds released updates fixing four critical Serv-U vulnerabilities that allow remote code execution, potentially giving attackers full root access on unpatched servers.
Serv-U is a file transfer server software that allows organizations to securely transfer files over networks using protocols like FTP, FTPS, SFTP, and HTTP/S. It’s commonly used by businesses to manage and exchange large files safely, including between internal teams and external partners.
One of the flaws fixed by the company is a broken access control issue, tracked as CVE-2025-40538 (CVSS score of 9.1), that could be exploited by attackers with high privileges to gain root or admin access on vulnerable systems.
“A broken access control vulnerability exists in Serv-U which, when exploited, gives an attacker the ability to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges.” reads the advisory.
The second flaw is CVE-2025-40540 (CVSS score of 9.1), a type confusion vulnerability in Serv-U that, if exploited, allows an attacker to execute arbitrary native code as root, giving them full control of the affected server.
The third flaw is CVE-2025-40539 (CVSS score of 9.1), another type confusion vulnerability. Similar to the previous one, it enables an attacker to run arbitrary native code with root privileges, potentially compromising the entire system.
The last flaw is CVE-2025-40541 (CVSS score of 9.1), an Insecure Direct Object Reference (IDOR) vulnerability in Serv-U. Exploiting this flaw allows an attacker to execute native code as root, risking complete server compromise on unpatched systems.
In November 2025, SolarWinds addressed three other critical vulnerabilities (CVE-2025-40549, CVE-2025-40548, CVE-2025-40547) in its Serv-U file transfer solution that could allow remote code execution.
In July 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability to its Known Exploited Vulnerabilities (KEV) catalog:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Serv-U)
如有侵权请联系:admin#unsafe.sh