Back to search

SolarWinds

Serv-U

See the latest tracked release, confirm when it was published, and subscribe for update emails.

Current version
Last checked: yesterday

15.5.4

Release date
February 24, 2026
CVE status
4 visible CVEs

Source

Vendor Release Information

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
15.5.4 2026-02-24 Release Notes

Vulnerability tracking

Review curated CVEs for this product and see whether the current version is marked affected. Only CVEs with a CVSS score of 7.0 or higher and published in the last 90 days are shown.

CVE Severity Published Status Summary
CVE-2025-40541 CRITICAL (9.1) 2026-02-24 Current versionnot affected

An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Affected versions
  • Up to (excluding) 15.5.4
CVE-2025-40540 CRITICAL (9.1) 2026-02-24 Current versionnot affected

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Affected versions
  • Up to (excluding) 15.5.4
CVE-2025-40539 CRITICAL (9.1) 2026-02-24 Current versionnot affected

A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Affected versions
  • Up to (excluding) 15.5.4
CVE-2025-40538 CRITICAL (9.1) 2026-02-24 Current versionnot affected

A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Affected versions
  • Up to (excluding) 15.5.4