Serv-U 15.5.3 release notes
Release date: November 18, 2025
Here's what's new in Serv-U 15.5.3. You can find the applicable system requirements here.
To view release notes, system requirements, and product guide PDFs for supported versions of Serv-U, see Serv-U previous versions. To view release notes for multiple versions
New features and improvements in Serv-U
Support for the ED25519 public key signature system
Serv-U now supports:
-
Creation of ED25519 SSH key pairs.
-
Public key authentication using ED25519 keys.
-
Generation of ED25519 SSH private keys.
-
Use of ED25519 Host Keys in SSH Handshakes.
Serv-U IP block functionality extended to File share guest authentication
Serv-U IP block functionality now prevents password attacks on MGPS File shares by limiting repeated failed password guesses and logging failed attempts so that administrators are notified of suspicious activity.
Security improvements
-
Default configuration settings in Serv-U now enable an account lockout mechanism to prevent brute-force attacks and limit concurrent connections from a single IP address to mitigate server overload.
-
X-Forwarded-For protection has been enabled to prevent IP spoofing attacks.
-
A minimum password length requirement has been implemented to strengthen password security.
-
Limits on file upload sizes now prevent resource exhaustion.
-
In addition, HTTP Strict Transport Security (HSTS) has now been enabled.
-
Upgraded Angular to version 19.
Subscription model for Serv-U now available
You can now subscribe to Serv-U, which gives you access to new product versions and features as soon as they are released.
Fixed CVEs
At SolarWinds, we prioritize the swift resolution of CVEs to ensure the security and integrity of our software. In this release, we have successfully addressed the following CVEs.
SolarWinds CVEs
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2025-40547 | SolarWinds Serv-U Logic Abuse - Remote Code Execution Vulnerability | A logic error vulnerability exists in Serv-U, which when abused, could give a malicious actor with access to admin privileges the ability to execute code.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. |
9.1 Critical | |
| CVE-2025-40548 | SolarWinds Serv-U Broken Access Control - Remote Code Execution Vulnerability | A missing validation process exists in Serv-U, which when abused, could give a malicious actor with access to admin privileges the ability to execute code.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. |
9.1 Critical | |
| CVE-2025-40549 | SolarWinds Serv-U Path Restriction Bypass Vulnerability | A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory.
This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled. |
9.1 Critical | Maurice Moss |
Fixed customer issues
| Case number | Description |
|---|---|
| N/A | An error alert again displays after multi-factor authentication (MFA) when Web Client and File Sharing are disabled for the user. |
| N/A | Serv-U no longer ignores listeners created to accept client connections. |
| N/A | Case-insensitive counting for ASCII usernames was implemented to prevent brute force attempts that exceed limits. |
| N/A | Serv-U now prevents attacks by blocking the processing of specially crafted URLs designed to create XSS vulnerabilities. |
| N/A | 'Unsafe-inline' was removed from the style-src directive, and nonce was applied to style elements. Inline styles were refactored to CSS classes, and the cdk-virtual-scroll-viewport component was replaced with standard Nova-UI table implementations for better Content Security Policy (CSP) compliance. |
| 01985676 | Serv-U suggests available space identified for \\OneHost\DirectoryForHome. |
| 01984223 | Serv-U continues to operate as expected when it allows LDAP users. |
| 01981046 01973076 01978052 01978442 01977220 01977314 01972532 01975418 | Serv-U does not access the legacy client homepage URL during login and avoids a 404 error. |
| 01902200 | Serv-U correctly closes started Windows user logon tokens. |
| 01794765 | Serv-U connects the ODBC without errors on startup. |
Installation or upgrade
For new installations, you can download the installation file from the Serv-U product page on https://www.solarwinds.com or from the Customer Portal. For more information, see Install the SolarWinds Serv-U File Server.
For more information about upgrades, see Upgrade Serv-U File Server.
End of life
| Version | EoL announcement | EoE effective date | EoL effective date |
|---|---|---|---|
| 15.5 | July 8, 2025: End-of-Life (EoL) announcement – Customers on Serv-U version 15.5 or earlier should begin transitioning to the latest version of Serv-U. | October 8, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Serv-U version 15.5 or earlier will no longer actively be supported by SolarWinds. | October 8, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Serv-U version 15.5. |
| 15.4.2 | April 15, 2025: End-of-Life (EoL) announcement – Customers on Serv-U version 15.4.2 or earlier should begin transitioning to the latest version of Serv-U. | July 15, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Serv-U version 15.4.2 or earlier will no longer actively be supported by SolarWinds. | July 15, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Serv-U version 15.4.2. |
| 15.4.1 | October 16, 2024: End-of-Life (EoL) announcement – Customers on Serv-U version 15.4.1 or earlier should begin transitioning to the latest version of Serv-U. | December 16, 2024: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Serv-U version 15.4.1 or earlier will no longer actively be supported by SolarWinds. | December 16, 2025: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Serv-U version 15.4.1. |
See the End of Life Policy for information about SolarWinds product life cycle phases. To see EoL dates for earlier Serv-U versions, see Serv-U release history.
Legal notices
© 2025 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.