What is CVE-2025-40547?

CVE-2025-40547 is a critical-severity vulnerability in Solarwinds Serv-u, classified under Improper Encoding or Escaping of Output. CVSS score: 9.1/10. Published 2025-11-18.

How severe is CVE-2025-40547?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Vulnerability in Solarwinds Serv-u

CVE-2025-40547

A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the…

EPSS: 0.001 (26.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Solarwinds Serv-u — versions SolarWinds Serv-U 15.5.2 and prior versions

Weakness classification (CWE)

CWE-116 — Improper Encoding or Escaping of Output

References

www.solarwinds.com/trust-center/security-advisories/CVE-2025-40547
documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv…

Frequently asked questions

What is CVE-2025-40547?: CVE-2025-40547 is a critical-severity vulnerability in Solarwinds Serv-u, classified under Improper Encoding or Escaping of Output. CVSS score: 9.1/10. Published 2025-11-18.
How severe is CVE-2025-40547?: Critical severity. CVSS v3 base score is 9.1 out of 10.