CVE-2025-40541
published 2026-02-24CVE-2025-40541: An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as…
PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.57%
42.9th percentile
An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u | < 15.5.4 | 15.5.4 |
| solarwinds | serv-u | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-40540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-40540 [CRITICAL] CVE-2025-40540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40540 :
Serv-U Managed File Transfer Server vulnerability analysis and mitigation
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source : NVD
## 7.2
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Serv-U Managed File Transfer Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.2
Exploitation Probability (EPSS) 0.1
Affected pac
Wiz
CVE-2025-40538 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-40538 [CRITICAL] CVE-2025-40538 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40538 :
Serv-U Managed File Transfer Server vulnerability analysis and mitigation
A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source : NVD
## 7.2
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Serv-U Managed File Transfer Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2025-40539 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-40539 [CRITICAL] CVE-2025-40539 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40539 :
Serv-U Managed File Transfer Server vulnerability analysis and mitigation
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source : NVD
## 7.2
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Serv-U Managed File Transfer Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.2
Exploitation Probability (EPSS) 0.1
Affected pac
Wiz
CVE-2025-40541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-40541 [CRITICAL] CVE-2025-40541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40541 :
Serv-U Managed File Transfer Server vulnerability analysis and mitigation
An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source : NVD
## 7.2
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Serv-U Managed File Transfer Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS)
2026-02-24
Published