Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2025-40539 |
| Alert Source | NVD - New Critical Vulnerability |
| CVE Publication Year | 2025 |
| Date Published | 2026-02-24 |
| Vendor | Solarwinds |
| Product | Serv-U |
| CVSS Score | 9.1 (critical) |
| EPSS Score | 0.0% (percentile: 13%) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Required Actions
Apply vendor patches or mitigations as soon as available.
Who Is Affected?
This vulnerability affects Serv-U by Solarwinds. Check if your organization uses this software and requires updates.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
