CVE-2025-40541
Published: 24 February 2026
Summary
CVE-2025-40541 is a critical-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Solarwinds Serv-U. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing IDOR exploitation that allows privileged code execution.
Limits privileges to only those necessary, reducing the attack surface of administrative accounts required to trigger the PR:H IDOR vulnerability.
Manages privileged accounts including creation, review, and disabling of unnecessary ones, minimizing accounts able to exploit the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR enables remote native code execution as privileged account on Serv-U (public-facing service), directly mapping to public app exploitation and priv esc via code exec.
NVD Description
An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is…
more
scored as a medium because services frequently run under less-privileged service accounts by default.
Deeper analysisAI
CVE-2025-40541 is an Insecure Direct Object Reference (IDOR) vulnerability in SolarWinds Serv-U, classified under CWE-639 and CWE-704. When exploited, it enables a malicious actor to execute native code as a privileged account. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-02-24.
Exploitation requires administrative privileges (PR:H), limiting it to attackers who have already gained high-level access within the Serv-U environment. Such an actor can trigger the issue remotely over the network (AV:N) with low attack complexity and no user interaction (UI:N), resulting in high impacts to confidentiality, integrity, and availability, along with a changed scope (S:C). On Windows deployments, the risk is rated as medium because Serv-U services typically run under less-privileged accounts by default.
SolarWinds has issued a security advisory detailing the issue at https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40541. Mitigation is available via Serv-U version 15.5.4, as outlined in the release notes at https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm.
Details
- CWE(s)