What is the CVSS score of CVE-2025-40540?

CVE-2025-40540 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Windows are affected by CVE-2025-40540?

A critical vulnerability in Serv-U allows attackers with administrative access to execute arbitrary code with system-level privileges, potentially leading to complete system compromise and lateral…

How to fix or mitigate CVE-2025-40540?

Within 24 hours: Audit all administrative account access logs for Serv-U and identify any suspicious activity; restrict administrative access to trusted personnel only. Within 7 days: Isolate Serv-U instances on a segmented network with strict firewall rules limiting administrative connections; conduct a security assessment of all accounts with admin privileges. Within 30 days: Monitor vendor communications for patch availability; develop and test a migration or upgrade plan; implement enhanced monitoring and endpoint detection and response (EDR) on systems running Serv-U.

Windows CVE-2025-40540

CRITICAL

Incorrect Type Conversion or Cast (CWE-704)

2026-02-24 psirt@solarwinds.com

Windows Serv U

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 08:16 nvd

CRITICAL 9.1

DescriptionNVD

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.

This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

AnalysisAI

Second type confusion vulnerability in SolarWinds Serv-U. Different attack vector from CVE-2025-40539 but same impact — arbitrary code execution.

Technical ContextAI

CWE-704 type confusion, different code path from CVE-2025-40539.

RemediationAI

Apply SolarWinds security update addressing all Serv-U CVEs.

CVE-2025-40540 vulnerability details – vuln.today

Back

Windows CVE-2025-40540

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code