📦

serv-u

Vendor: rhinosoft

Login to add this product to WatchStack
Actively Exploited 3 CISA KEV List
PoC / Exploits 7 Code Available
Total RCEs 2 Remote Access
Total CVEs 225 Total Indexed
Avg. EPSS 9.49% Exploit Prob.
Latest CVE CVE-2025-40541 Feb 24

Security Vulnerability Index

Page 1 / 23
9.1 CVSS
CVE-2025-40541

An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

EPSS: 0.01%
9.1 CVSS
CVE-2025-40540

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

EPSS: 0.09%
9.1 CVSS
CVE-2025-40539

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

EPSS: 0.09%
9.1 CVSS
CVE-2025-40538

A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

EPSS: 0.05%
9.1 CVSS
CVE-2025-40549

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled.

EPSS: 0.10%
9.1 CVSS
CVE-2025-40548

A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

EPSS: 0.06%
9.1 CVSS
CVE-2025-40547
Exploit Found

A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

EPSS: 0.10%
2.6 CVSS
CVE-2024-45712

SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low.

EPSS: 0.07%
4.8 CVSS
CVE-2024-45714

Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload.

EPSS: 0.28%
7.5 CVSS
CVE-2024-45711
RCE

SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are abused. Authentication is required for this vulnerability

EPSS: 10.69%