CVE-2025-40538 PUBLISHED

SolarWinds Serv-U Broken Access Control Remote Code Execution Vulnerability

Assigner: SolarWinds
Reserved: 16.04.2025 Published: 24.02.2026 Updated: 24.02.2026

A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges.

This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SolarWinds
Product	Serv-U
Versions	Default: affected Version SolarWinds Serv-U 15.5.3 and prior versions is affected

Solutions

SolarWinds recommends that customers upgrade to SolarWinds Serv-U 15.5.4 as soon as it becomes available.

CVE-2025-40538 PUBLISHED

SolarWinds Serv-U Broken Access Control Remote Code Execution Vulnerability

Metrics

Product Status

Solutions

References

Problem Types

Impacts