critical vulnerability

Security Advisory

SolarWinds Serv-U15.5.4 Rocked by Critical RCE Vulnerabilities; Patch Now

Summary : SolarWinds has fixed four critical vulnerabilities in its popular Serv-U file transfer solution, which is used by businesses and organizations of all sizes. vulnerabilities impact SolarWinds Serv-U Managed File Transfer, a platform frequently deployed as an internet-facing FTP/FTPS/SFTP gateway or as an internal file exchange service handling sensitive data.

OEM SolarWinds 
Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

SolarWinds stated that there are no confirmed reports of active exploitation at this time. However, given previous Serv-U vulnerabilities were exploited by advanced threat actors. 

SolarWinds Serv-U

is a secure file transfer server used by organizations to manage FTP, FTPS, SFTP, and HTTP/S file transfers across enterprise environments. It is commonly deployed on Windows and Linux servers to securely exchange sensitive business data. 

SolarWinds fixed four critical remote code execution vulnerabilities in Serv-U 15.5. These vulnerabilities could allow an attacker with administrative privileges to execute arbitrary native code as root on the affected server. 

      Vulnerability Name CVE ID Product Affected Severity CVSS Score Fixed Version 
Broken Access Control Remote Code Execution Vulnerability CVE-2025-40538 Serv-U Critical 9.1 Serv-U 15.5.4 
Type Confusion Remote Code Execution Vulnerability CVE-2025-40539 Serv-U Critical 9.1 Serv-U 15.5.4 
Type Confusion Remote Code Execution Vulnerability CVE-2025-40540 Serv-U Critical 9.1 Serv-U 15.5.4 
Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability CVE-2025-40541 Serv-U Critical 9.1 Serv-U 15.5.4 

Technical Summary 

These critical vulnerabilities affect SolarWinds Serv-U version 15.5 and arise from weaknesses such as improper access control checks, type confusion errors, and insecure object reference handling.

If exploited, they may allow an attacker to run arbitrary native code with root-level privileges on the affected server. 

Successful exploitation requires administrative access. Once obtained, an attacker could create unauthorized administrator accounts, and execute malicious code, potentially resulting in complete system compromise and further movement across the network.

SolarWinds strongly advises upgrading to Serv-U version 15.5.4 to address these security risks. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-40538 Serv-U 15.5 Improper access control enabling admin creation and root-level code execution Admin account creation, full system compromise 
CVE-2025-40539 Serv-U 15.5 Type confusion enabling arbitrary native code execution as root Arbitrary native code execution 
CVE-2025-40540 Serv-U 15.5 Type confusion leading to root-level native code execution Root-level execution 
CVE-2025-40541 Serv-U 15.5 IDOR enabling unauthorized access and root-level code execution Remote code execution as root 

Potential Consequences 

  • Full server takeover 
  • Privilege escalation 
  • Lateral movement within enterprise network 
  • Data exfiltration 
  • Malware or backdoor deployment 

Remediation:  

Upgrade immediately to Serv-U product with below mentioning fixed version- 

  • Serv-U 15.5.4  

If immediate patching is not possible, apply the following temporary mitigations- 

  1. Restrict Serv-U administrative access to trusted IP ranges. 
  1. Enforce MFA for all Serv-U admin accounts. 
  1. Ensure services run with least privilege. 
  1. Conduct audit of newly created administrative accounts. 

You can follow the recommendations below as a best practice- 

  • Enforce strict administrative access controls. 
  • Monitor logs for unauthorized privilege escalation. 
  • Implement network segmentation for file transfer servers. 
  • Apply regular patch management and vulnerability scanning. 

Conclusion: 
These four newly disclosed vulnerabilities in SolarWinds Serv-U represent critical remote code execution risks. Although exploitation has not been confirmed, Serv-U’s history of targeted attacks increases the urgency for patching. 

Organizations should treat this as a priority patching event and immediately upgrade to Serv-U 15.5.4 to prevent potential root-level compromise. 

References:  

Security Advisory

Critical Vulnerability identified in tj-actions/branch-names’ GitHub Action workflow

Security advisory:  Patch Now! Critical Command Injection in GitHub Action tj-actions/branch-names Affects 5,000+ public repositories. 

Summary:

A critical vulnerability has been identified in the tj-actions/branch-names’ GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags.

Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-54416 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No
Advisory Version 1.0 

Overview 
This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0

The flaw allows attackers to run any command during GitHub Actions workflows by creating specially crafted branch names or tags.  

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Command Injection in branch-names GitHub Action  CVE-2025-54416   tj-actions/branch-names GitHub Action <v8.2.1 9.1  v9.0.0 or later 

Technical Summary 

This Vulnerability puts many CI/CD pipelines at serious risk, including the possibility of stealing secrets or injecting malicious code into releases.

The vulnerability exists due to unsafe usage of the eval command in the action’s script. Although some escaping was done using printf “%q”, developers later used eval printf “%s” to unescaped values, which reintroduced command injection risks.

Any branch name containing malicious shell code can trigger execution during workflows. 

The vulnerability affects GitHub Action workflows that use tj-actions/branch-names. It allows attackers to inject and execute arbitrary shell commands by creating a branch with malicious content. The issue is caused by the unsafe use of eval when handling branch names and tags in output generation. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-54416 GitHub repositories using tj-actions/branch-names < v8.2.1 Unsafe use of eval leads to command injection Attacker can run arbitrary commands, steal secrets, alter source code, or compromise workflows 

Proof of Concept (POC) 


 
Remediation

  • Update immediately to tj-actions/branch-names version v9.0.0 or higher
  • The vulnerable eval code has been replaced with safe printf usage. 
  • Review your workflows to ensure no malicious activity has occurred. 
  • Check logs for strange branch names or unexpected shell activity. 

Conclusion: 
This command injection flaw is extremely dangerous due to its simplicity and the number of projects it affects. GitHub Actions workflows that use branch names or tags from pull requests are especially at risk. Attackers don’t need access to the code just the ability to open a pull request.

All developers and security teams should act now by updating to the latest version and reviewing usage of GitHub Actions in their workflows. 

References

Scroll to top