CVE-2025-40538
Published: 24 February 2026
Summary
CVE-2025-40538 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Solarwinds Serv-U. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the broken access control vulnerability by requiring timely remediation through application of the vendor patch in Serv-U version 15.5.4.
Enforces least privilege to limit users with domain or group admin access required for exploitation, reducing the attack surface.
Manages account lifecycle to control creation and modification of privileged accounts, preventing abusive creation of system admin users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control enables privilege escalation via unauthorized creation of higher-privileged accounts leading to RCE.
NVD Description
A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue…
more
requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
Deeper analysisAI
CVE-2025-40538 is a broken access control vulnerability (CWE-269) in SolarWinds Serv-U, a file transfer server. It allows a malicious actor with domain admin or group admin privileges to create a system admin user and execute arbitrary code as a privileged account. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its high impact due to scope change despite requiring high privileges.
Exploitation requires administrative privileges, specifically domain admin or group admin access within Serv-U. A malicious actor with these privileges can abuse the broken access control to escalate by creating a new system admin user and achieving remote code execution as a privileged account. On Windows deployments, the risk is assessed as medium because Serv-U services often run under less-privileged accounts by default, limiting potential impact.
SolarWinds has addressed the vulnerability in Serv-U version 15.5.4, as detailed in the release notes. Security practitioners should consult the official security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40538 and update to the patched version to mitigate the issue.
Details
- CWE(s)