Scan free
CRITICALCVE-2025-40538CVSS 9.1

CVE-2025-40538: RCE in SolarWinds Serv-U

Platform

windows

Component

serv-u

Fixed in

15.5.4

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-40538 describes a broken access control vulnerability within SolarWinds Serv-U. Successful exploitation allows a malicious actor to create a system administrator user and execute arbitrary code, potentially gaining privileged access to the system. This vulnerability affects versions of Serv-U up to and including 15.5.3, and a patch is available in version 15.5.4.

Impact and Attack Scenarios

The impact of CVE-2025-40538 is significant due to the potential for remote code execution with elevated privileges. An attacker could leverage this vulnerability to gain complete control over the affected Serv-U server, including access to sensitive data stored within the system. This could involve data exfiltration, modification of files, or installation of malware. On Windows deployments, while services often run with limited privileges by default, the ability to escalate to a system admin account represents a serious risk. The vulnerability's ease of exploitation, combined with the potential for privilege escalation, makes it a high-priority target for attackers.

Exploitation Context

CVE-2025-40538 was published on 2026-02-24. Public proof-of-concept exploits are currently unknown, but the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentserv-u
VendorSolarWinds
Affected rangeFixed in
SolarWinds Serv-U 15.5.3 and prior versions – SolarWinds Serv-U 15.5.3 and prior versions15.5.4

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-40538 is to upgrade SolarWinds Serv-U to version 15.5.4 or later. Prior to upgrading, it is highly recommended to create a full backup of the Serv-U database and configuration files. If an immediate upgrade is not feasible, consider implementing stricter access controls within Serv-U, limiting the privileges of user accounts and restricting access to sensitive resources. While not a complete solution, enabling auditing and monitoring of Serv-U activity can help detect suspicious behavior. After upgrading, verify the fix by attempting to create a new user with administrative privileges through the Serv-U interface; this should be prevented.

How to fix

Update SolarWinds Serv-U to version 15.5.4 or later. The update fixes the access control vulnerability that allows remote code execution. See the release notes for more details about the update.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-40538 — RCE in SolarWinds Serv-U?

CVE-2025-40538 is a critical Remote Code Execution vulnerability in SolarWinds Serv-U, allowing attackers to execute arbitrary code with privileged access.

Am I affected by CVE-2025-40538 in SolarWinds Serv-U?

You are affected if you are running SolarWinds Serv-U versions 15.5.3 or earlier. Upgrade to 15.5.4 or later to mitigate the risk.

How do I fix CVE-2025-40538 in SolarWinds Serv-U?

Upgrade SolarWinds Serv-U to version 15.5.4 or later. Back up your data before upgrading.

Is CVE-2025-40538 being actively exploited?

While no public exploits are currently known, the vulnerability's severity suggests a high probability of exploitation. Monitor security advisories.

Where can I find the official SolarWinds advisory for CVE-2025-40538?

Refer to the official SolarWinds security advisory for detailed information and updates: [https://www.solarwinds.com/securityadvisories](https://www.solarwinds.com/securityadvisories)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs