Serv U
Monthly
Remote denial-of-service in SolarWinds Serv-U allows unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests using Content-Encoding: deflate. The flaw carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and maps to CWE-400 (uncontrolled resource consumption), affecting service availability without compromising confidentiality or integrity; no public exploit identified at time of analysis.
IDOR vulnerability in SolarWinds Serv-U allows accessing objects belonging to other users. Fourth critical Serv-U vulnerability in this batch.
Second type confusion vulnerability in SolarWinds Serv-U. Different attack vector from CVE-2025-40539 but same impact — arbitrary code execution.
Type confusion vulnerability in SolarWinds Serv-U enables arbitrary code execution. Second critical Serv-U vulnerability.
Broken access control in SolarWinds Serv-U allows unauthorized user creation by exploiting privilege assignment flaws. First of four critical Serv-U vulnerabilities.
A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
Remote denial-of-service in SolarWinds Serv-U allows unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests using Content-Encoding: deflate. The flaw carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and maps to CWE-400 (uncontrolled resource consumption), affecting service availability without compromising confidentiality or integrity; no public exploit identified at time of analysis.
IDOR vulnerability in SolarWinds Serv-U allows accessing objects belonging to other users. Fourth critical Serv-U vulnerability in this batch.
Second type confusion vulnerability in SolarWinds Serv-U. Different attack vector from CVE-2025-40539 but same impact — arbitrary code execution.
Type confusion vulnerability in SolarWinds Serv-U enables arbitrary code execution. Second critical Serv-U vulnerability.
Broken access control in SolarWinds Serv-U allows unauthorized user creation by exploiting privilege assignment flaws. First of four critical Serv-U vulnerabilities.
A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.