RCE

Security Vulnerabilities in NGINX Causing DoS in RCE

NGINX rewrite module, is used to redirect or modify web requests.

The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.

This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.

The attack can be leveraged & Potential Impact

Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well.

Crash or restart the NGINX server remotely
Cause websites or applications to become unavailable
Launch Denial-of-Service (DoS) attacks

In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:

Attackers may be able to run malicious code on the server
This could potentially lead to full server compromise

Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
Exploitation is already happening in real-world attacks
The vulnerable code has reportedly existed for nearly 18 years

Vulnerability	Details
CVE ID	CVE-2026-42945
Severity	High / Critical
Affected Product	NGINX OSS & NGINX Plus
Impact	DoS / Possible Remote Code Execution
Attack Requirement	Specially crafted web requests
Authentication Needed	No

Researchers also found additional medium-severity vulnerabilities affecting:

HTTP/3 QUIC module
HTTP/2 proxy mode
SSL module
SCGI and uWSGI modules
Charset handling module

These may cause:

Memory exhaustion
Data leakage
Spoofing attacks
Service instability

This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.

Immediate Patching Recommendation

Upgrade to the latest patched NGINX versions immediately.

Review and modify vulnerable rewrite rules.
Restrict unnecessary internet exposure of NGINX servers.
Monitor for unexpected NGINX crashes or restarts.
Ensure ASLR and other OS-level security protections remain enabled.

The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.

How GaarudNode Helps Secure Against This Vulnerability

GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.

Security Capability	How It Helps
Continuous OS & Infrastructure Vulnerability Scanning	Detects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads
Missing Patch Detection	Identifies systems missing critical NGINX security updates and tracks remediation status
Misconfiguration Assessment	Detects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw
CSPM (Cloud Security Posture Management)	Identifies internet-exposed NGINX instances and insecure cloud deployments
Network Security Visibility	Detects externally exposed web services and risky attack surfaces
Runtime Monitoring (Shift Right)	Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts
Risk Prioritization	Correlates internet exposure, vulnerable configurations, and exploitability to prioritize remediation
Unified Risk Dashboard	Provides centralized visibility across applications, infrastructure, cloud, OS, and network risks

Sources: NGINX: DoS vulnerability is being attacked | heise online

Critical Vulnerability in Exim Affects Exim Mail Transfer Agent

Security updates released for Exim Mail Transfer Agent (MTA) and addressed multiple possible remote-triggered critical vulnerabilities allowing RCE.

The flaw affected outdated Exim deployments. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.

Exim is a widely used open-source mail transfer agent deployed across enterprise, ISP, academic, and government infrastructures for internet-connected Unix systems. CVE-2026-45185 was discovered and reported by XBOW researcher Federico Kirschbaum. It impacts Exim versions 4.97 through 4.99.2 on builds compiled with GnuTLS that have STARTTLS and CHUNKING advertised. OpenSSL-based builds are not affected.

The Exim Project has confirmed

All versions prior to 4.99.3 are obsolete.
Legacy 3.x versions are more than 20 years outdated and should no longer be used.
Version 4.99.3 is the latest security release addressing remotely triggerable issues.

The vulnerability impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.

There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of Exim is quite different.

Vulnerability Exploitation

Attackers exploiting the vulnerability could execute commands on the server as well as access Exim data and emails, and potentially pivot further into the environment depending on server permissions and configuration.

Findings from EXBOW research:

XBOW Native successfully produced a working exploit for a simplified target Exim server that had no Address Space Layout Randomization (ASLR) and non-PIE (Position Independent Executables) binary.

In a second attempt, the LLM achieved an exploit on a machine with ASLR, but still a non-PIE binary.

“[…] instead of continuing to attack glibc’s allocator with off-the-shelf mechanisms, XBOW Native had taken on Exim’s own allocator,” XBOW researchers say.

Despite the surprising result below, it was the human researcher who won the race, with assistance from the LLM for tasks such as assembling files and testing exploitation avenues.

Threat actors commonly target internet-facing mail transfer agents due to their direct exposure to external networks and critical role in enterprise communication infrastructure.

Threat Context

Security Area	Details
Product	Exim Mail Transfer Agent (MTA)
Current Secure Version	4.99.3
Affected Versions	All versions prior to 4.99.3
Legacy Risk	Exim 3.x releases are obsolete
Attack Surface	Internet-facing SMTP services
Potential Impact	Remote exploitation, mail service compromise, unauthorized access

Indicators of Concern (IoCs / Risk Indicators)

Type	Indicator	Description
Network Activity	Unusual SMTP connections	Suspicious external mail interactions
Service Behaviour	Unexpected Exim crashes/restarts	Possible exploitation attempts
Log Activity	Unauthorized mail relay events	Potential abuse of mail routing
Authentication	Unknown SMTP authentication attempts	Credential abuse indicators
System Activity	Unexpected child process execution	Possible remote code execution attempts

Mitigations

Upgrade all Exim installations to version 4.99.3 immediately.
Identify and decommission obsolete Exim 3.x deployments.
Restrict unnecessary external exposure of SMTP services.
Audit mail server configurations and relay permissions.

For users of Ubuntu and Debian-based Linux distributions should apply the available Exim updates (v4.99.3) through their package managers.

Sources: Exim Remote Code Execution Vulnerability

Sources: New critical Exim mailer flaw allows remote code execution

Qualcomm Chipset Vulnerability Allows RCE

Multi-Component Qualcomm Vulnerabilities

PAN-OS Firewall of PaloAlto Vulnerability Exploited for RCE

CVE 2026-0300 is a critical vulnerability with CVSS score of 9.3

PaloAlto Networks has issued strict advisory for its customers after an actively exploited zero-day vulnerability, affected its firewall operating system, PAN-OS. CVE 2026-0300 allows attackers to gain full control of affected systems without authentication.

The zero-day bug stems from a buffer overflow weakness, allowing unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.

Active Exploitation Observed in the Wild

Palo Alto Networks confirmed that exploitation attempts have already been observed in its advisory and urged its customers and organizations to mitigate exposure immediately.

What did the vulnerability affect:

PAN-OS 10.2 below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6
PAN-OS 11.1 below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
PAN-OS 11.2 below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12
PAN-OS 12.1 below 12.1.4-h5, 12.1.7

Excluded from vulnerability are Prisma Access, Cloud Next-Generation Firewall (Cloud NGFW), and Panorama appliances are not impacted by this vulnerability.

PoC of CVE 2026-0300

PaloAlto published a PoC on May 6, showing how an unauthenticated request to the User-ID Authentication Portal can reliably trigger the buffer overflow and achieve root-level RCE on affected PAN-OS versions.

While the repository is framed as research code and includes legal disclaimers, it materially lowers the barrier to exploitation by validating exploit mechanics.

Palo Alto Networks has not shared details about who is behind the attacks and has not released indicators of compromise at the time of writing.

Patching & Remediation

Since security patches takes time, PaloAlto recommends reducing exposure is the most effective way to contain risk. Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances.

If the User-ID Authentication Portal is not required for business operations, Palo Alto Networks recommends disabling it entirely. Firewalls that do not have the Authentication Portal enabled are not affected by this vulnerability.

The company has stated that security fixes will be released in stages between May 13-28, depending on the PAN‑OS version in use.

In advance of these patches, Palo Alto released a Threat Prevention signature on May 5 for PAN-OS 11.1 and newer to help detect or block exploitation attempts. Applying this signature, where supported, provides interim protection but does not replace the need to reduce exposure and deploy patches once available.

For security teams, immediate focus should be on identifying PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled, confirming whether those services are reachable from untrusted networks, and scheduling timely deployment of Palo Alto’s fixes as they are released.

Monitoring unexpected firewall behavior or unplanned configuration changes provides additional awareness during the period of active exploitation.

A similar authentication bypass vulnerability (CVE-2025-0108) was discovered in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface on 20 feb 2025. https://intruceptlabs.com/2025/02/palo-alto-firewall-vulnerabilities-under-active-exploitation/

Firewall infrastructure attack increased in recent years so are the Stakes for Enterprise and Critical Infrastructure

Firewalls are the prime targets because if firewall can be controlled the entire network is in hands of hackers. In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. Threat actors take on management interfaces, login pages and authentication portals as most common targets for both opportunistic and targeted campaigns.

A successful compromise in the firewall can allow attackers to:

Intercept entire network traffic
Disable security protections
Move laterally inside corporate networks
Establish persistent backdoors

For stronger defense allow Intrucept to proactively test your defenses by identifying vulnerabilities fast. You can start the process to enhance your security posture and protect your digital assets from evolving threats.

Call us for a demo–https://intruceptlabs.com/contact/

Sources: https://fieldeffect.com/blog/palo-alto-firewall-zero-day-unauthenticated-root-access#:~:text=On%20May%205%2C%202026%2C%20Palo,systems%20accessible%20from%20untrusted%20networks.

Sources: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day

Apache ActiveMQ Vulnerability CVE-2026-34197 Exploited in the Wild

CVE-2026-34197, an Apache ActiveMQ flaw

Vulnerable ABAP Program Patched by SAP in April Security Updates

SAP security patch day saw the release of 19 new security notes on April 14th. There is 1 update to previously released security note. The update addresses several severe flaws, including critical SQL injection, denial of service (DoS) and code injection vulnerabilities.

Vulnerability Details:

[CVE-2026-27681] SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse is most critical with CVSS score 9.9. This flaw may allow attackers to run arbitrary database queries, potentially compromising sensitive information and system integrity.

SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, is missing authorization check in SAP ERP and SAP S/4 HANA. With a CVSS score of 7.1, this vulnerability could enable unauthorized users to perform restricted actions in both private cloud and on‑premise deployments

Further it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs.

[CVE-2025-64775] Denial of Service Vulnerability in SAP BusinessObjects Business Intelligence Platform, the criticality is medium

[CVE-2026-34264] Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA, medium criticality

Key inputs:

Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure.

The vulnerabilities may trigger denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content or code execution in the victim’s browser.

Patching:

The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application and S4CORE.

The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation.

Refer to

Dec 2025 Security Advisory SAP Security Patch Released, Critical RCE Fixed & DoS Vulnerabilities

Conclusion: SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.

Sources: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2026.html

Sources: https://www.securityweek.com/sap-patches-critical-abap-vulnerability/

CISCO Vulnerability Allows RCE in its Smart Software Manager on-Premise

CVE-2026-20160, Vulnerability in CISCO’s smart software manager may allows attackers to gain complete control over the affected system without needing authentication which is gaining prior access to exploit the system. The CVSS severity score of 9.8 out of 10, indicating its high risk level.

Authentication and access controls play a crucial role in web application and system security. What can happen?

Data theft
System compromise
Privilege escalation

CISCO’s Smart Software Manager Flaw

In this case the vulnerability exposure allowed unauthorized access, as attackers do not need login credentials when a hacker can execute arbitrary commands on the operating system. Further escalating by creating crafted request to the service’s API. The vulnerability impacted certain versions of the Cisco SSM On-Prem environments, particularly software releases from 9-202502 to 9-202510.

Remediation for organizations

Organizations can prevent authentication bypass through regular patching, multi-factor authentication, encryption, and strong password policies.

The vulnerability did not impact CISCO’s smart software newly released version 9-202601 includes a patch that fixes the flaw.

Cisco advises to upgrade to version 9-202601 immediately, as there are no current workarounds or temporary mitigations to block potential attacks.

For IT teams notes include devices meet the necessary memory and hardware specifications before proceeding with the update.

Key findings from CVE-2026-20160 Vulnerability

The vulnerability was discovered internally by Cisco’s Technical Assistance Center (TAC) team and they found no immediate exploitations in the wild

With the disclosure can motivate hackers to reverse-engineer the patch and search for vulnerable systems. Following Cisco’s guidelines and maintaining up-to-date security measures will be essential in mitigating risks associated and stop any kind of data breaches.

Conclusion:

Research shows that, making timely patching critical for authentication security is essential and failing to do that can lead to data breaches.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.

Sources: Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability

Critical Vulnerability CVE-2026-4681 in Windchill & FlexPLM Exposes Systems to RCE

PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3.

Vulnerability details:

The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.

The flaw affects a broad range of Windchill PDMLink and FlexPLM releases, specifically:

Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0

Description

The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
CVE-2026-4681 has been reported
- CWE – CWE-94: Improper Control of Generation of Code (‘Code Injection’) (4.19.1)
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
  - CVSS v3.1 Base Score: 10.0 (Critical)
  - CVSS v4 Base Score: 9.3 (Critical)
At this time, there is no evidence of confirmed exploitation affecting PTC customers

Remediation: PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability

Immediate Mitigation Steps

PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include:

For Apache HTTP Server

Create a new configuration file named 90-app-Windchill-Auth.conf under <APACHE_HOME>/conf/conf.d/.
Add the following directive:

<LocationMatch “^.*servlet/(WindchillGW|WindchillAuthGW)/com.ptc.wvs.server.publish.Publish(?:;[^/]*)?/.*$”>
Require all denied

Ensure this file is the last in the configuration sequence and restart the Apache server.

For Microsoft IIS

Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website.
Modify the web.config file to include the rewrite rule as the first tag in <system.webServer>.
Restart IIS using iisreset and confirm the rule is active in IIS Manager.

PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures.

Additional Protection Measures

For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet.

PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customer.

Indicators of Compromise

Advisory for security Teams to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability:

Network and User-Agent Patterns

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c=

File System Indicators

GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)
Any dpr_<8-hex-digits>.jsp file
Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents

The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution.

Log and Error Patterns

Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception

PTC strongly urges customers to report any identified

Log and Error Patterns

Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception

PTC strongly urges customers to report any new identified IOCs immediately and initiate security response plans.

This particular vulnerability highlights the importance of proactive security monitoring and rapid mitigation in enterprise software environments.

By following the recommended steps, organizations can reduce the risk of Remote Code Execution and protect their data

Source: https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOooLDdBNS2lOeRasqrbyOfjfVKyhJH6Z_wfzqO93k3cqVQcSueEv

Microsoft Releases Tuesday Patch-March 2026; Fixed 83 Flaws

Microsoft Tuesday Patch March 2026 fixes 83 Vulnerabilities Including 2 Actively Exploited Zero-Days

SolarWinds Serv-U15.5.4 Rocked by Critical RCE Vulnerabilities; Patch Now

Summary : SolarWinds has fixed four critical vulnerabilities in its popular Serv-U file transfer solution, which is used by businesses and organizations of all sizes. vulnerabilities impact SolarWinds Serv-U Managed File Transfer, a platform frequently deployed as an internet-facing FTP/FTPS/SFTP gateway or as an internal file exchange service handling sensitive data.

OEM	SolarWinds
Severity	Critical
CVSS Score	9.1
CVEs	CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

SolarWinds stated that there are no confirmed reports of active exploitation at this time. However, given previous Serv-U vulnerabilities were exploited by advanced threat actors.

SolarWinds Serv-U

is a secure file transfer server used by organizations to manage FTP, FTPS, SFTP, and HTTP/S file transfers across enterprise environments. It is commonly deployed on Windows and Linux servers to securely exchange sensitive business data.

SolarWinds fixed four critical remote code execution vulnerabilities in Serv-U 15.5. These vulnerabilities could allow an attacker with administrative privileges to execute arbitrary native code as root on the affected server.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
Broken Access Control Remote Code Execution Vulnerability	CVE-2025-40538	Serv-U	Critical	9.1	Serv-U 15.5.4
Type Confusion Remote Code Execution Vulnerability	CVE-2025-40539	Serv-U	Critical	9.1	Serv-U 15.5.4
Type Confusion Remote Code Execution Vulnerability	CVE-2025-40540	Serv-U	Critical	9.1	Serv-U 15.5.4
Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability	CVE-2025-40541	Serv-U	Critical	9.1	Serv-U 15.5.4

Technical Summary

These critical vulnerabilities affect SolarWinds Serv-U version 15.5 and arise from weaknesses such as improper access control checks, type confusion errors, and insecure object reference handling.

If exploited, they may allow an attacker to run arbitrary native code with root-level privileges on the affected server.

Successful exploitation requires administrative access. Once obtained, an attacker could create unauthorized administrator accounts, and execute malicious code, potentially resulting in complete system compromise and further movement across the network.

SolarWinds strongly advises upgrading to Serv-U version 15.5.4 to address these security risks.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-40538	Serv-U 15.5	Improper access control enabling admin creation and root-level code execution	Admin account creation, full system compromise
CVE-2025-40539	Serv-U 15.5	Type confusion enabling arbitrary native code execution as root	Arbitrary native code execution
CVE-2025-40540	Serv-U 15.5	Type confusion leading to root-level native code execution	Root-level execution
CVE-2025-40541	Serv-U 15.5	IDOR enabling unauthorized access and root-level code execution	Remote code execution as root

Potential Consequences

Full server takeover

Privilege escalation

Lateral movement within enterprise network

Data exfiltration

Malware or backdoor deployment

Remediation:

Upgrade immediately to Serv-U product with below mentioning fixed version-

Serv-U 15.5.4

If immediate patching is not possible, apply the following temporary mitigations-

Restrict Serv-U administrative access to trusted IP ranges.

Enforce MFA for all Serv-U admin accounts.

Ensure services run with least privilege.

Conduct audit of newly created administrative accounts.

You can follow the recommendations below as a best practice-

Enforce strict administrative access controls.

Monitor logs for unauthorized privilege escalation.

Implement network segmentation for file transfer servers.

Apply regular patch management and vulnerability scanning.

Conclusion:
These four newly disclosed vulnerabilities in SolarWinds Serv-U represent critical remote code execution risks. Although exploitation has not been confirmed, Serv-U’s history of targeted attacks increases the urgency for patching.

Organizations should treat this as a priority patching event and immediately upgrade to Serv-U 15.5.4 to prevent potential root-level compromise.

References:

Serv-U 15.5.4 release notes

SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution