CVE-2025-40540

Опубликовано: 24 фев. 2026

Источник: nvd

CVSS3: 9.1

CVSS3: 7.2

EPSS Низкий

Описание

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.

This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Ссылки

https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm
Release Notes
Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40540
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*

Версия до 15.5.4 (исключая)

EPSS

Процентиль: 35%

0.00445

Низкий

9.1 Critical

CVSS3

7.2 High

CVSS3

Дефекты

CWE-704

Связанные уязвимости

GHSA-8cmg-xf32-xmvr

CVSS3: 9.1

github

4 месяца назад

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

EPSS

Процентиль: 35%

0.00445

Низкий

9.1 Critical

CVSS3

7.2 High

CVSS3

Дефекты

CWE-704