CVE-2025-40549

Critical

Published: 18 November 2025

Published

18 November 2025

Modified

02 December 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0010 27.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this…

scored as medium due to differences in how paths and home directories are handled.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the path restriction bypass vulnerability by applying the vendor-provided patch detailed in Serv-U 15.5.3 release notes.

AC-6 Least Privilege good match

prevent

Limits exploitation to only essential administrative privileges, reducing the attack surface given the PR:H requirement.

SI-10 Information Input Validation good match

prevent

Validates path inputs to block traversal attempts that bypass directory restrictions in Serv-U.

Security SummaryAI

CVE-2025-40549 is a Path Restriction Bypass vulnerability (CWE-22) in Serv-U. This issue affects Serv-U, where abuse enables a malicious actor with administrative privileges to execute code on a directory. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), with the vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. On Windows systems, it is assessed as medium severity due to differences in path and home directory handling.

Exploitation requires administrative privileges, limiting it to attackers who have already gained admin-level access to the Serv-U instance. A successful attack allows the actor to bypass path restrictions and execute code on a directory, resulting in high impacts to confidentiality, integrity, and availability, compounded by the changed scope (S:C) in the CVSS metrics.

SolarWinds has published a security advisory detailing the issue at https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549. Mitigation information, including patches, is covered in the Serv-U 15.5.3 release notes at https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm.

Details

CWE(s): CWE-22

Affected Products

solarwinds

serv-u

≤ 15.5.3

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Path restriction bypass in Serv-U enables remote code execution with administrative privileges over the network, directly mapping to exploitation of a remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm
Release Notes · psirt@solarwinds.com
https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549
Patch, Vendor Advisory · psirt@solarwinds.com