What is the CVSS score of CVE-2025-40541?

CVE-2025-40541 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Windows are affected by CVE-2025-40541?

A critical vulnerability in Serv-U allows authenticated administrators to execute arbitrary code with elevated privileges, potentially compromising file servers and sensitive data.

How to fix or mitigate CVE-2025-40541?

Within 24 hours: Inventory all Serv-U installations and document administrative account usage; restrict administrative access to essential personnel only and enforce multi-factor authentication. Within 7 days: Implement network segmentation to isolate Serv-U servers; monitor administrative activity logs for suspicious access patterns; contact Serv-U vendor for patch timeline and interim guidance. Within 30 days: Apply vendor patch immediately upon release; conduct forensic review of administrative activity logs for potential compromise indicators; reset credentials for all administrative accounts.

Windows CVE-2025-40541

CRITICAL

Incorrect Type Conversion or Cast (CWE-704)

2026-02-24 psirt@solarwinds.com

Windows Serv U

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 08:16 nvd

CRITICAL 9.1

DescriptionNVD

An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.

This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

AnalysisAI

IDOR vulnerability in SolarWinds Serv-U allows accessing objects belonging to other users. Fourth critical Serv-U vulnerability in this batch.

Technical ContextAI

CWE-704 (misclassified — actually IDOR). Attackers can access resources belonging to other users by manipulating object references.

RemediationAI

Apply SolarWinds update. Implement proper object-level authorization checks.

CVE-2025-40541 vulnerability details – vuln.today

Back

Windows CVE-2025-40541

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code