Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical vulnerabilities in SolarWinds Serv-U servers can be exploited for remote code execution, Patch Immediately!
Image
Published : 25/02/2026
- Last update: 25/02/2026
- Affected software:
→ SolarWinds Serv-U MFT
→ Serv-U FTP Server- Type: Remote Code Execution (RCE)
- CVE/CVSS
→ CVE-2025-40538: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-40539: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-40540: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-40541: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Sources
SolarWinds advisory - https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm
SolarWinds advisory (CVE-2025-40538) - https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40538
SolarWinds advisory (CVE-2025-40539) - https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40539
SolarWinds advisory (CVE-2025-40540) - https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40540
SolarWinds advisory (CVE-2025-40541) - https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40541
Risks
SolarWinds released an advisory referring to four critical vulnerabilities in its Serv-U Server product line, used for file transfer. All four vulnerabilities can be exploited to achieve remote code execution.
While there is no indication of active exploitation at this time (cut-off date: 25 February 2026), it is likely that threat actors will attempt to exploit them. Threat actors, including ransomware groups, have shown interest in the past in targeting file transfer technology[1].
However, exploitability of these four vulnerabilities is limited on Windows deployments because exploitation requires administrative privileges, which services running on Windows often do not have by default.
Description
CVE-2025-40538 is a broken access control vulnerability. Successful exploitation enables a remote attacker to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges.
CVE-2025-40539 is a type confusion flaw. A remote threat actor could exploit it to execute arbitrary native code as root.
CVE-2025-40540 is another type confusion vulnerability. Similar to CVE-2025-40539, successful exploitation gives a malicious actor the ability to execute arbitrary native code as root.
CVE-2025-40541 is an Insecure Direct Object Reference (IDOR) vulnerability. A remote threat actor could exploit it to gain the ability to execute native code as root.
Please note that, for all four issues, administrative privileges are required. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
The Hacker News - https://thehackernews.com/2026/02/solarwinds-patches-4-critical-serv-u.html
[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a