SolarWinds Left Four Holes In The Fence And Called It A Product

Oh good. Oh fantastic. SolarWinds is back in the news and I haven't even finished my third coffee yet.

For those of you who blocked this vendor from your memory after the 2020 supply chain catastrophe, congratulations on your optimism. It did not pay off. Serv-U 15.5 just got four critical patches slapped on it, all scoring a lovely 9.1 on the CVSS scale. That's not a score, that's a cry for help.

Four holes in the fence. Four. Simultaneously. In one product. I've seen better security on a cardboard box.

The fun part is that a wolf who successfully waltzes through any of these gaps gets root-level code execution with administrative privileges. So not just "oops they're in," but "oops they own everything and can redecorate." Full root. On your file transfer server. The one probably sitting in your Sky Pasture because some Shepherd decided cloud was cheaper in 2022.

I'm fine. I'm totally fine.

Now look, I want to be very clear about something. This is not a phishing situation. The flock cannot be blamed for clicking fake grain this time. This is a server-side flaw. The Lambs are innocent for once in their miserable, attachment-opening lives.

The wolves don't need a single one of your users to do anything stupid. They just knock on the door and the door falls off its hinges. Serv-U is used heavily for managed file transfers, meaning sensitive data, compliance-adjacent workflows, and the exact kind of stuff that makes auditors cry.

SolarWinds has released the ointment. Version 15.5.1 apparently addresses all four. I'll believe it when I see a CVE that doesn't spawn three follow-up CVEs six weeks later, but here we are, applying it anyway because what else am I going to do.

Remediation

Yeah, yeah, here's what you actually do:

• Shear immediately. Update Serv-U to 15.5.1 or later. No, "we'll do it next sprint" is not acceptable. No.
• Check your exposure. If Serv-U is internet-facing and unpatched, assume something already sniffed around. Pull your logs. Look for weird administrative activity.
• Tighten the Electric Fence. Restrict access to Serv-U's admin interface. It should not be reachable from the open internet. If it is, I'm too tired to even be angry, I'm just sad.
• Audit Sky Pasture deployments. If you're running this in a cloud environment, double-check your network segmentation isn't just vibes.
• Tell the Shepherds. They won't understand, but document it so you have cover when they ask why patching took budget.

Heading back to the field. Wake me up when it's a 9.2.

Original Report: https://thehackernews.com/2026/02/solarwinds-patches-4-critical-serv-u.html