Platform
windows
Component
serv-u
Opgelost in
15.5.4
CVE-2025-40538 describes a broken access control vulnerability within SolarWinds Serv-U. Successful exploitation allows a malicious actor to create a system administrator user and execute arbitrary code, potentially gaining privileged access to the system. This vulnerability affects versions of Serv-U up to and including 15.5.3, and a patch is available in version 15.5.4.
The impact of CVE-2025-40538 is significant due to the potential for remote code execution with elevated privileges. An attacker could leverage this vulnerability to gain complete control over the affected Serv-U server, including access to sensitive data stored within the system. This could involve data exfiltration, modification of files, or installation of malware. On Windows deployments, while services often run with limited privileges by default, the ability to escalate to a system admin account represents a serious risk. The vulnerability's ease of exploitation, combined with the potential for privilege escalation, makes it a high-priority target for attackers.
CVE-2025-40538 was published on 2026-02-24. Public proof-of-concept exploits are currently unknown, but the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Organizations utilizing SolarWinds Serv-U for file sharing, particularly those with legacy configurations or those running older versions (≤ 15.5.3), are at significant risk. Shared hosting environments where multiple users share a single Serv-U instance are also particularly vulnerable, as a compromise of one user account could potentially lead to the compromise of the entire server.
• windows / supply-chain:
Get-Service ServU | Select-Object -ExpandProperty StartName• windows / supply-chain:
Get-WinEvent -LogName Security -Filter "EventID = 4625" -MaxEvents 10 | Select-Object -Property TimeCreated, Message• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like "ServU*"}disclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-40538 is to upgrade SolarWinds Serv-U to version 15.5.4 or later. Prior to upgrading, it is highly recommended to create a full backup of the Serv-U database and configuration files. If an immediate upgrade is not feasible, consider implementing stricter access controls within Serv-U, limiting the privileges of user accounts and restricting access to sensitive resources. While not a complete solution, enabling auditing and monitoring of Serv-U activity can help detect suspicious behavior. After upgrading, verify the fix by attempting to create a new user with administrative privileges through the Serv-U interface; this should be prevented.
Werk SolarWinds Serv-U bij naar versie 15.5.4 of hoger. De update corrigeert de toegangscontrole kwetsbaarheid die Remote Code Execution mogelijk maakt. Raadpleeg de release notes voor meer details over de update.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-40538 is a critical Remote Code Execution vulnerability in SolarWinds Serv-U, allowing attackers to execute arbitrary code with privileged access.
You are affected if you are running SolarWinds Serv-U versions 15.5.3 or earlier. Upgrade to 15.5.4 or later to mitigate the risk.
Upgrade SolarWinds Serv-U to version 15.5.4 or later. Back up your data before upgrading.
While no public exploits are currently known, the vulnerability's severity suggests a high probability of exploitation. Monitor security advisories.
Refer to the official SolarWinds security advisory for detailed information and updates: [https://www.solarwinds.com/securityadvisories](https://www.solarwinds.com/securityadvisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.