CVE-2025-40540
Published: 24 February 2026
Summary
CVE-2025-40540 is a critical-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Solarwinds Serv-U. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the type confusion vulnerability by requiring timely remediation through application of the vendor patch in Serv-U version 15.5.4.
Reduces exploitation risk and impact by enforcing least privilege for administrative accounts and running services under less-privileged accounts, as highlighted for Windows deployments.
Implements memory safeguards such as ASLR and DEP to hinder arbitrary code execution resulting from the type confusion vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion RCE in public-facing Serv-U file transfer server; requires prior admin access (PR:H) but directly enables remote native code execution on exposed service.
NVD Description
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a…
more
medium because services frequently run under less-privileged service accounts by default.
Deeper analysisAI
CVE-2025-40540 is a type confusion vulnerability (CWE-704) in SolarWinds Serv-U, a file transfer server software. When exploited, it enables a malicious actor to execute arbitrary native code as a privileged account. The vulnerability received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-02-24.
Exploitation requires administrative privileges (PR:H), limiting it to attackers who have already gained high-level access to the affected Serv-U instance. A successful attack allows network-based remote code execution with high impacts across confidentiality, integrity, and availability, compounded by a scope change (S:C). On Windows deployments, the risk is assessed as medium because Serv-U services frequently run under less-privileged accounts by default.
SolarWinds has released mitigation via Serv-U version 15.5.4, as detailed in the product release notes. Additional guidance is available in the vendor's security advisory at the SolarWinds Trust Center.
Details
- CWE(s)