Cyber Resilience

CVE-2025-40549

Critical

Published: 18 November 2025

Published
18 November 2025
Modified
02 December 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0010 27.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40549 is a critical-severity Path Traversal (CWE-22) vulnerability in Solarwinds Serv-U. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-40549 is a Path Restriction Bypass vulnerability (CWE-22) in Serv-U. This issue affects Serv-U, where abuse enables a malicious actor with administrative privileges to execute code on a directory. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), with the vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. On Windows systems, it is assessed as medium severity due to differences in path and home directory handling.

Exploitation requires administrative privileges, limiting it to attackers who have already gained admin-level access to the Serv-U instance. A successful attack allows the actor to bypass path restrictions and execute code on a directory, resulting in high impacts to confidentiality, integrity, and availability, compounded by the changed scope (S:C) in the CVSS metrics.

SolarWinds has published a security advisory detailing the issue at https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549. Mitigation information, including patches, is covered in the Serv-U 15.5.3 release notes at https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm.

EU & UK References

Vulnerability details

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this…

more

scored as medium due to differences in how paths and home directories are handled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Path restriction bypass in Serv-U enables remote code execution with administrative privileges over the network, directly mapping to exploitation of a remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-40547Same product: Solarwinds Serv-U
CVE-2025-40539Same product: Solarwinds Serv-U
CVE-2025-40540Same product: Solarwinds Serv-U
CVE-2025-40538Same product: Solarwinds Serv-U
CVE-2025-40541Same product: Solarwinds Serv-U
CVE-2026-28297Same product class: network monitoring / SIEM
CVE-2024-28988Same product class: network monitoring / SIEM
CVE-2025-40554Same product class: network monitoring / SIEM
CVE-2025-40536Same product class: network monitoring / SIEM
CVE-2025-40552Same product class: network monitoring / SIEM

Affected Assets

solarwinds
serv-u
≤ 15.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path restriction bypass vulnerability by applying the vendor-provided patch detailed in Serv-U 15.5.3 release notes.

prevent

Limits exploitation to only essential administrative privileges, reducing the attack surface given the PR:H requirement.

prevent

Validates path inputs to block traversal attempts that bypass directory restrictions in Serv-U.

References