CVE-2025-40549
Published: 18 November 2025
Summary
CVE-2025-40549 is a critical-severity Path Traversal (CWE-22) vulnerability in Solarwinds Serv-U. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the path restriction bypass vulnerability by applying the vendor-provided patch detailed in Serv-U 15.5.3 release notes.
Limits exploitation to only essential administrative privileges, reducing the attack surface given the PR:H requirement.
Validates path inputs to block traversal attempts that bypass directory restrictions in Serv-U.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path restriction bypass in Serv-U enables remote code execution with administrative privileges over the network, directly mapping to exploitation of a remote service.
NVD Description
A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this…
more
scored as medium due to differences in how paths and home directories are handled.
Deeper analysisAI
CVE-2025-40549 is a Path Restriction Bypass vulnerability (CWE-22) in Serv-U. This issue affects Serv-U, where abuse enables a malicious actor with administrative privileges to execute code on a directory. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), with the vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. On Windows systems, it is assessed as medium severity due to differences in path and home directory handling.
Exploitation requires administrative privileges, limiting it to attackers who have already gained admin-level access to the Serv-U instance. A successful attack allows the actor to bypass path restrictions and execute code on a directory, resulting in high impacts to confidentiality, integrity, and availability, compounded by the changed scope (S:C) in the CVSS metrics.
SolarWinds has published a security advisory detailing the issue at https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549. Mitigation information, including patches, is covered in the Serv-U 15.5.3 release notes at https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm.
Details
- CWE(s)