CVE-2025-40539
Published: 24 February 2026
Summary
CVE-2025-40539 is a critical-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Solarwinds Serv-U. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly eliminates the type confusion vulnerability by requiring timely application of the vendor patch in Serv-U version 15.5.4.
Enforces least privilege for Serv-U service accounts, limiting the scope and impact of arbitrary code execution even if exploited by an administrative attacker.
Implements memory protections such as ASLR and DEP that mitigate exploitation of type confusion vulnerabilities leading to arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion RCE in publicly accessible file transfer server directly enables remote exploitation of a public-facing app for native code execution.
NVD Description
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a…
more
medium because services frequently run under less-privileged service accounts by default.
Deeper analysisAI
CVE-2025-40539 is a type confusion vulnerability (CWE-704) in SolarWinds Serv-U, a file transfer server software. When exploited, it enables a malicious actor to execute arbitrary native code with the privileges of the affected account. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its high impact despite requiring high privileges, due to the scope change from network-accessible exploitation.
Exploitation requires administrative privileges on the target system (PR:H), limiting it to attackers who have already gained such access, such as compromised insiders or those escalating from lower privileges. A successful attack can be performed remotely over the network with low complexity (AV:N/AC:L), achieving complete confidentiality, integrity, and availability impacts (C:H/I:H/A:H) in a changed scope (S:C), effectively allowing full system compromise under the service's privileged context.
SolarWinds has addressed the issue in Serv-U version 15.5.4, as detailed in the release notes at https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm. Additional mitigation guidance and details are provided in the vendor's security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40539. On Windows deployments, the risk is considered medium because Serv-U services often run under less-privileged accounts by default.
Details
- CWE(s)