CVE-2025-40547 CRITICAL

CVE-2025-40547: SolarWinds Serv-U Logic Abuse - Remote Code Execution Vulnerability

Vendor Solarwinds
Product Serv-U
Weakness CWE-116
Published November 18, 2025
Last update February 26, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
February 26, 2026 Record updated