How to fix CVE-2025-40540?

Within 24 hours: Audit all administrative account access logs for Serv-U and identify any suspicious activity; restrict administrative access to trusted personnel only. Within 7 days: Isolate Serv-U instances on a segmented network with strict firewall rules limiting administrative connections; conduct a security assessment of all accounts with admin privileges. Within 30 days: Monitor vendor communications for patch availability; develop and test a migration or upgrade plan; implement enhanced monitoring and endpoint detection and response (EDR) on systems running Serv-U.

Is Windows affected by CVE-2025-40540?

A critical vulnerability in Serv-U allows attackers with administrative access to execute arbitrary code with system-level privileges, potentially leading to complete system compromise and lateral movement across the infrastructure.

CVE-2025-40540

CRITICAL

2026-02-24 [email protected]

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 08:16 nvd

CRITICAL 9.1

Description

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Analysis

Second type confusion vulnerability in SolarWinds Serv-U. Different attack vector from CVE-2025-40539 but same impact — arbitrary code execution.

Technical Context

CWE-704 type confusion, different code path from CVE-2025-40539.

Affected Products

['SolarWinds Serv-U']

Remediation

Apply SolarWinds security update addressing all Serv-U CVEs.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

CVE-2025-40540 vulnerability details – vuln.today

Back

CVE-2025-40540

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-40540

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code