Cyber Resilience

CVE-2025-40540

Critical

Published: 24 February 2026

Published
24 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0044 35.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-40540 is a critical-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Solarwinds Serv-U. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-40540 is a type confusion vulnerability (CWE-704) in SolarWinds Serv-U, a file transfer server software. When exploited, it enables a malicious actor to execute arbitrary native code as a privileged account. The vulnerability received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-02-24.

Exploitation requires administrative privileges (PR:H), limiting it to attackers who have already gained high-level access to the affected Serv-U instance. A successful attack allows network-based remote code execution with high impacts across confidentiality, integrity, and availability, compounded by a scope change (S:C). On Windows deployments, the risk is assessed as medium because Serv-U services frequently run under less-privileged accounts by default.

SolarWinds has released mitigation via Serv-U version 15.5.4, as detailed in the product release notes. Additional guidance is available in the vendor's security advisory at the SolarWinds Trust Center.

EU & UK References

Vulnerability details

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a…

more

medium because services frequently run under less-privileged service accounts by default.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Type confusion RCE in public-facing Serv-U file transfer server; requires prior admin access (PR:H) but directly enables remote native code execution on exposed service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-40539Same product: Solarwinds Serv-U
CVE-2025-40541Same product: Solarwinds Serv-U
CVE-2025-40547Same product: Solarwinds Serv-U
CVE-2025-40538Same product: Solarwinds Serv-U
CVE-2025-40549Same product: Solarwinds Serv-U
CVE-2025-40551Same product class: network monitoring / SIEM
CVE-2024-52606Same product class: network monitoring / SIEM
CVE-2025-40554Same product class: network monitoring / SIEM
CVE-2025-40552Same product class: network monitoring / SIEM
CVE-2025-40536Same product class: network monitoring / SIEM

Affected Assets

solarwinds
serv-u
≤ 15.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the type confusion vulnerability by requiring timely remediation through application of the vendor patch in Serv-U version 15.5.4.

prevent

Reduces exploitation risk and impact by enforcing least privilege for administrative accounts and running services under less-privileged accounts, as highlighted for Windows deployments.

prevent

Implements memory safeguards such as ASLR and DEP to hinder arbitrary code execution resulting from the type confusion vulnerability.

References