Insecure Direct Object Reference Vulnerability in Serv-U by SolarWinds
CVE-2025-40541

9.1CRITICAL

Key Information:

Vendor: Solarwinds
Status: Serv-u
Vendor: CVE Published:; 24 February 2026

What is CVE-2025-40541?

An Insecure Direct Object Reference vulnerability has been identified in Serv-U, allowing attackers with administrative privileges to execute native code as a privileged user. This vulnerability particularly poses a risk when the application is running under a less-privileged service account, which is common in Windows deployments. Users are encouraged to review their configurations and apply necessary updates to mitigate potential exploitation.

Affected Version(s)

Serv-U Windows SolarWinds Serv-U 15.5.3 and prior versions

References

https://www.solarwinds.com/trust-center/security-advisori...

https://documentation.solarwinds.com/en/success_center/se...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2026
Vulnerability Reserved
Apr 16, 2025

CVE-2025-40541 Data

JSON

Solarwinds

What is CVE-2025-40541?

Affected Version(s)

References

CVSS V3.1

Timeline