CVE-2025-40538 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: February 24, 2026
Serv-U - Broken Access Control
Published: February 24, 2026Updated: February 24, 2026Remote Exploitable
Overview
Serv-U contains a broken access control vulnerability caused by improper privilege checks, letting attackers with domain or group admin privileges create system admin users and execute arbitrary code.
Severity & Score
Severity: Critical
CVSS Score: 9.1
EPSS Score: 3.8%(Probability of exploitation in next 30 days)
Impact
Attackers with admin privileges can create system admin users and execute arbitrary code with elevated privileges.
Mitigation
Update to the latest version with the fix applied.
References
Social Media Activity(1 post)
Jeff Hall - PCIGuru :verified:
@jbhall56
All four security defects, tracked as CVE-2025-40538 to CVE-2025-40541, have a CVSS score of 9.1, could result in remote code execution, and impact Serv-U version 15.5. https://www.securityweek.com/solarwinds-patches-four-critical-serv-u-vulnerabilities/
View original postRelated Resources
Details
- CVE ID
- CVE-2025-40538
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_access_control
- Status
- confirmed
- EPSS
- 3.8%
- Social Posts
- 1
CWE
- CWE-269
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score
3.8%Probability of exploitation in the next 30 days