CVE-2025-40541
EUVD-2025-20754324.02.2026, 08:16
An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| solarwinds | serv-u | 𝑥 < 15.5.4 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-704 - Incorrect Type Conversion or CastThe software does not correctly convert an object, resource, or structure from one type to a different type.
- CWE-639 - Authorization Bypass Through User-Controlled KeyThe system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.