📦

serv-u

Vendor: rhinosoft

Login to add this product to WatchStack
Actively Exploited 3 CISA KEV List
PoC / Exploits 7 Code Available
Total RCEs 2 Remote Access
Total CVEs 225 Total Indexed
Avg. EPSS 9.49% Exploit Prob.
Latest CVE CVE-2025-40541 Feb 24

Security Vulnerability Index

Page 2 / 23
Critical Target
8.6 CVSS
CVE-2024-28995
Exploit Found

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

EPSS: 94.40%
5.7 CVSS
CVE-2024-28072

A highly privileged account can overwrite arbitrary files on the system with log output. The log file path tags were not sanitized properly.

EPSS: 0.20%
8.4 CVSS
CVE-2024-28073

SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited.

EPSS: 0.30%
5.0 CVSS
CVE-2023-40053

A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously.

EPSS: 0.06%
7.2 CVSS
CVE-2023-40060

A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4.  SolarWinds found that the issue was not completely fixed in 15.4 Hotfix 1. 

EPSS: 0.03%
7.2 CVSS
CVE-2023-35179

A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 

EPSS: 0.06%
7.5 CVSS
CVE-2023-23841

SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.  Part of the URL of the request discloses sensitive data.

EPSS: 0.10%
5.4 CVSS
CVE-2022-38106

This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.

EPSS: 4.65%
7.5 CVSS
CVE-2021-35252

Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.

EPSS: 0.29%
4.3 CVSS
CVE-2021-35249

This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed.

EPSS: 0.15%