CVE-2025-40547
Published: 18 November 2025
Summary
CVE-2025-40547 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Solarwinds Serv-U. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the logic error vulnerability by requiring timely application of the vendor patch released in Serv-U version 15.5.3.
Enforces least privilege to restrict administrative access required to exploit the vulnerability, limiting who can abuse the logic error for code execution.
Manages privileged accounts to minimize the number of admin users and ensure timely revocation, reducing opportunities for exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows arbitrary code execution on a remote service (SolarWinds Serv-U) by an authenticated high-privilege administrative actor, directly mapping to Exploitation of Remote Services.
NVD Description
A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as…
more
a medium because services frequently run under less-privileged service accounts by default.
Deeper analysisAI
CVE-2025-40547 is a logic error vulnerability in SolarWinds Serv-U that enables a malicious actor with administrative privileges to execute arbitrary code. The issue, published on 2025-11-18, carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-116 (Improper Encoding or Escaping of Output).
Exploitation requires high-privilege administrative access to the affected Serv-U instance. A successful attack allows the adversary to achieve high impacts on confidentiality, integrity, and availability, with a changed scope due to the privileged code execution. On Windows deployments, the overall risk is rated as medium, as Serv-U services typically run under less-privileged accounts by default, potentially limiting the blast radius even if admin credentials are compromised.
SolarWinds has published a security advisory detailing the issue at https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40547, along with release notes for Serv-U version 15.5.3 at https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm, which address mitigation through patching.
Details
- CWE(s)