CVE-2025-40548

CRITICAL EPSS 46.3%
Published Nov 18, 20257mo ago · Modified Jun 17, 20261w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Nov 18, 2025 7mo ago
Last Modified Jun 17, 2026 1w ago

Description

A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

CVSS Details

Base Score
9.1
Exploitability
2.3
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
46.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-269 Improper Privilege Management Authorization

Affected Products 1

VendorProductVersionRange
solarwindsserv-u* <15.5.3

References 2

  • documentation.solarwinds.com https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm
    Release Notes
  • solarwinds.com https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40548
    PatchVendor Advisory

Remediation

  • solarwinds.com https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40548
    PatchVendor Advisory