CVE-2025-40538
published 2026-02-24CVE-2025-40538: A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute…
PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.50%
38.8th percentile
A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u | < 15.5.4 | 15.5.4 |
| solarwinds | serv-u | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Critical SolarWinds Serv-U flaws offer root access to servers
blogs_bleepingcomputer·2026-02-24·CVSS 9.0
[CRITICAL] Critical SolarWinds Serv-U flaws offer root access to servers
## Critical SolarWinds Serv-U flaws offer root access to servers
## Sergiu Gatlan
SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers.
Serv-U is the company's self-hosted Windows and Linux file transfer software that comes with both Managed File Transfer (MFT) and FTP server capabilities, enabling organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S.
The most severe of the four security flaws patched by SolarWinds today in Serv-U 15.5.4 is tracked as CVE-2025-40538, and it allows attackers with high privileges to gain root or admin permissions on vulnerable servers.
"A broken access control vulnerability exists in Serv-U which, when exploited, gives
Wiz
CVE-2025-40540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-40540 [CRITICAL] CVE-2025-40540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40540 :
Serv-U Managed File Transfer Server vulnerability analysis and mitigation
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source : NVD
## 7.2
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Serv-U Managed File Transfer Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.2
Exploitation Probability (EPSS) 0.1
Affected pac
Wiz
CVE-2025-40538 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-40538 [CRITICAL] CVE-2025-40538 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40538 :
Serv-U Managed File Transfer Server vulnerability analysis and mitigation
A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source : NVD
## 7.2
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Serv-U Managed File Transfer Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2025-40539 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-40539 [CRITICAL] CVE-2025-40539 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40539 :
Serv-U Managed File Transfer Server vulnerability analysis and mitigation
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source : NVD
## 7.2
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Serv-U Managed File Transfer Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.2
Exploitation Probability (EPSS) 0.1
Affected pac
Wiz
CVE-2025-40541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-40541 [CRITICAL] CVE-2025-40541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40541 :
Serv-U Managed File Transfer Server vulnerability analysis and mitigation
An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source : NVD
## 7.2
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Serv-U Managed File Transfer Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS)
2026-02-24
Published