CVE-2025-40548

Published Nov 18, 2025

Last updated 3 months ago

CVSS critical 9.1

Overview

Description
A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Source
psirt@solarwinds.com
NVD status
Analyzed
Products
serv-u

Risk scores

CVSS 3.1

Type
Primary
Base score
9.1
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

psirt@solarwinds.com
CWE-269

Social media

Hype score
Not currently trending

  1. ๐ŸŸ  Serv U, Missing Validation Code Execution, #CVE-2025-40548 (Medium) https://t.co/UTit4Kg3hE

    @dailycve

    2 Dec 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. SolarWinds patched three critical vulnerabilities: CVE-2025-40549 CVE-2025-40548 CVE-2025-40547 The flaws affect SolarWinds Serv-U 15.5.2.2.102. The company released version 15.5.3 to address them. https://t.co/exuwQPLnPK

    @RaulMuo16535398

    22 Nov 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. SolarWindsใ€้ซ˜ใƒชใ‚นใ‚ฏใฎ่ค‡ๆ•ฐใฎ่„†ๅผฑๆ€งใ‚’ไฟฎๆญฃ(CVE-2025-40547,CVE-2025-40548,CVE-2025-40549) https://t.co/SPUDZGIeb0 #ใ‚ปใ‚ญใƒฅใƒชใƒ†ใ‚ฃๅฏพ็ญ–Lab #ใ‚ปใ‚ญใƒฅใƒชใƒ†ใ‚ฃ #Security

    @securityLab_jp

    21 Nov 2025

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ๐Ÿ”ฅ ๐‚๐ซ๐ข๐ญ๐ข๐œ๐š๐ฅ ๐’๐จ๐ฅ๐š๐ซ๐–๐ข๐ง๐๐ฌ ๐’๐ž๐ซ๐ฏ-๐” ๐…๐ฅ๐š๐ฐ๐ฌ ๐€๐ฅ๐ฅ๐จ๐ฐ ๐‘๐ž๐ฆ๐จ๐ญ๐ž ๐€๐๐ฆ๐ข๐ง ๐‚๐จ๐๐ž ๐„๐ฑ๐ž๐œ๐ฎ๐ญ๐ข๐จ๐ง - ๐‘๐ž๐ฐ๐ญ๐ž๐ซ๐ณ โ€ข

    @PurpleOps_io

    20 Nov 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. ๐Ÿšจ๐ŸšจThree SolarWinds Serv-U Flaws Allow Authenticated Admins to Execute Arbitrary Code CVE-2025-40547 โ€“ Logic error CVE-2025-40548 โ€“ Missing validation CVE-2025-40549 โ€“ Directory traversal / path bypass ZoomEye Dork๐Ÿ‘‰app="SolarWinds Serv-U FTP server httpd" 64.7k+

    @zoomeye_team

    20 Nov 2025

    2219 Impressions

    10 Retweets

    21 Likes

    17 Bookmarks

    1 Reply

    0 Quotes

  6. [CVE-2025-40548: CRITICAL] Vulnerability in Serv U allows attackers with admin privileges to execute code due to missing validation process. Risk is medium on Windows as services run under less-privileged ac...#cve,CVE-2025-40548,#cybersecurity https://t.co/49PXA1qVwi https://t.c

    @CveFindCom

    18 Nov 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. **CVE-2025-40548** pertains to a security flaw within **Serv-U**, a popular FTP server software. The vulnerability stems from a missing validation process when a particular functionality is invoked, potentially allowing an attacker with administrative privileges to execute

    @CveTodo

    18 Nov 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-40548 A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requโ€ฆ https://t.co/KH32mpVuDu

    @CVEnew

    18 Nov 2025

    154 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.โ€ขCVE-2025-40541
  2. A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.โ€ขCVE-2025-40540
  3. A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.โ€ขCVE-2025-40538
  4. A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.โ€ขCVE-2025-40539
  5. A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled.โ€ขCVE-2025-40549

References

Sources include official advisories and independent security research.