Solarwinds Serv-u
19 CVEs affecting Solarwinds Serv-u. Latest disclosed: 2026-06-04. Critical: 7, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-40541 | Critical | 9.1 | 2026-02-24 | An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as… |
CVE-2025-40540 | Critical | 9.1 | 2026-02-24 | A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged accoun… |
CVE-2025-40539 | Critical | 9.1 | 2026-02-24 | A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged accoun… |
CVE-2025-40538 | Critical | 9.1 | 2026-02-24 | A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbi… |
CVE-2025-40549 | Critical | 9.1 | 2025-11-18 | A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute… |
CVE-2025-40548 | Critical | 9.1 | 2025-11-18 | A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This iss… |
CVE-2025-40547 | Critical | 9.1 | 2025-11-18 | A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This… |
CVE-2021-35223 | High | 8.5 | 2021-08-31 | The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that ca… |
CVE-2026-28318 | High | 7.5 | 2026-06-04 | SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitig… |
CVE-2024-45711 | High | 7.5 | 2024-10-16 | SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authentic… |
CVE-2021-35250 | High | 7.5 | 2022-04-25 | A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files… |
CVE-2023-40060 | High | 7.2 | 2023-09-07 | A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication… |
CVE-2023-35179 | High | 7.2 | 2023-08-10 | A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must ha… |
CVE-2024-28072 | Medium | 5.7 | 2024-05-03 | A highly privileged account can overwrite arbitrary files on the system with log output. The log file path tags were not sanitized properly. |
CVE-2023-40053 | Medium | 5.0 | 2023-12-06 | A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which… |
CVE-2024-45714 | Medium | 4.8 | 2024-10-16 | Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload. |
CVE-2021-35249 | Medium | 4.3 | 2022-05-17 | This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should no… |
CVE-2021-35247 | Medium | 4.3 | 2022-01-07 | Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perf… |
CVE-2024-45712 | Low | 2.6 | 2025-04-15 | SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account… |