Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN211
_____________________________________________________________________

DATE                : 25/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Serv-U versions prior to 15.5.4.

=====================================================================
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm
_____________________________________________________________________

Serv-U 15.5.4 release notes

Release date: February 24, 2026

Here's what's new in Serv-U 15.5.4. You can find the applicable
system requirements here.

To view release notes, system requirements, and product guide PDFs for
supported versions of Serv-U, see Serv-U previous versions. To view
release notes for multiple versions and multiple SolarWinds Platform
products on a single page, see the release notes aggregator.

    New features and improvements in Serv-U
    Download history now available in File Share
    Time display now included with 'Last Modified' date in File Share
    Support for Ubuntu 24.04 LTS
    General improvements

    Fixed CVEs
    SolarWinds CVEs

    Fixed customer issues
    Installation or upgrade
    End of life
    Legal notices


New features and improvements in Serv-U
Download history now available in File Share

Serv-U has reintroduced the download history that was formerly
available in the old Web Client prior to Serv-U 15.5.2.

Time display now included with 'Last Modified' date in File Share

'Time’ is now included with the ‘Last Modified’ date in File Share,
as it was in the old Web Client prior to Serv-U 15.5.2, bringing
additional feature parity between the old and current Web Client.


Support for Ubuntu 24.04 LTS

Serv-U supports Ubuntu 24.04 LTS.


General improvements

    Security improvements
    Functionality fixes

Fixed CVEs

At SolarWinds, we prioritize the swift resolution of CVEs to ensure the
security and integrity of our software. In this release, we have
successfully addressed the following CVEs.


SolarWinds CVEs

SolarWinds would like to thank our Security Researchers below for
reporting on the issue in a responsible manner and working with our
security, product, and engineering teams to fix the vulnerability.


CVE-ID 	Vulnerability Title 	Description 	Severity 	Credit

CVE-2025-40538 	SolarWinds Serv-U Broken Access Control Remote Code
Execution Vulnerability 	A broken access control vulnerability
exists in Serv-U which, when exploited, gives an attacker the ability
to create a system admin user and execute arbitrary code as root via
domain admin or group admin privileges. 	9.1 Critical 	N/A


CVE-2025-40540 	SolarWinds Serv-U Type Confusion Remote Code Execution
Vulnerability 	A type confusion vulnerability exists in Serv-U which,
when exploited, gives an attacker the ability to execute arbitrary
native code as root. 	9.1 Critical 	N/A


CVE-2025-40539 	SolarWinds Serv-U Type Confusion Remote Code Execution
Vulnerability 	A type confusion vulnerability exists in Serv-U which,
when exploited, gives an attacker the ability to execute arbitrary
native code as root. 	9.1 Critical 	N/A


CVE-2025-40541 	SolarWinds Serv-U Insecure Direct Object Reference (IDOR)
Remote Code Execution Vulnerability 	An Insecure Direct Object
Reference (IDOR) vulnerability exists in Serv-U which, when exploited,
gives an attacker the ability to execute native code as root. 
9.1 Critical 	N/A


Fixed customer issues

Case number 	Description

02030241 	Serv-U correctly differentiates LDAP and Windows groups
selected for deletion.

01930695 01718508 01841022 01823219 01900982 01930695 
The legacy login page contains the frame-ancestors: none directive in
its content security policy (CSP) configuration to prevent the Serv-U
legacy login page from being embedded in either the same or different
applications.

N/A 	Default values are correctly applied during domain creation,
improving security consistency and user experience.

N/A 	File share search result UI displays as expected.


Installation or upgrade

For new installations, you can download the installation file from the
Serv-U product page on https://www.solarwinds.com or from the Customer
Portal. For more information, see Install the SolarWinds Serv-U File
Server.

For more information about upgrades, see Upgrade Serv-U File Server.


End of life*
Version     EoL announcement 	EoE effective date   EoL effective date

15.5.1 	November 18, 2025: End-of-Life (EoL) announcement – Customers on
Serv-U version 15.5.1 or earlier should begin transitioning to the latest
version of Serv-U. 
February 18, 2026: End-of-Engineering (EoE) – Service releases, bug fixes,
workarounds, and service packs for Serv-U version 15.5.1 or earlier will
no longer actively be supported by SolarWinds. 
November 18, 2026: End-of-Life (EoL) – SolarWinds will no longer provide
technical support for Serv-U version 15.5.1.

15.5 	July 8, 2025: End-of-Life (EoL) announcement – Customers on
Serv-U version 15.5 or earlier should begin transitioning to the latest
version of Serv-U. 
October 8, 2025: End-of-Engineering (EoE) – Service releases, bug fixes,
workarounds, and service packs for Serv-U version 15.5 or earlier will
no longer actively be supported by SolarWinds. 
October 8, 2026: End-of-Life (EoL) – SolarWinds will no longer
provide technical support for Serv-U version 15.5.

15.4.2 	April 15, 2025: End-of-Life (EoL) announcement – Customers
on Serv-U version 15.4.2 or earlier should begin transitioning to
the latest version of Serv-U. 
July 15, 2025: End-of-Engineering (EoE) – Service releases, bug fixes,
workarounds, and service packs for Serv-U version 15.4.2 or earlier
will no longer actively be supported by SolarWinds.
July 15, 2026: End-of-Life (EoL) – SolarWinds will no longer provide
technical support for Serv-U version 15.4.2.

See the End of Life Policy for information about SolarWinds product
life cycle phases. To see EoL dates for earlier Serv-U versions, see
Serv-U release history.


Legal notices

© 2026 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified,
decompiled, disassembled, published or distributed, in whole or in
part, or translated to any electronic medium or other means without
the prior written consent of SolarWinds. All right, title, and
interest in and to the software, services, and documentation are and
shall remain the exclusive property of SolarWinds, its affiliates,
and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS,
EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION,
INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS,
OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL
SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES,
WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF
SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are
the exclusive property of SolarWinds Worldwide, LLC or its affiliates,
are registered with the U.S. Patent and Trademark Office, and may be
registered or pending registration in other countries. All other
SolarWinds trademarks, service marks, and logos may be common law
marks or are registered or pending registration. All other trademarks
mentioned herein are used for identification purposes only and are
trademarks of (and may be registered trademarks) of their respective
companies.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================