本ページは solarwinds serv-u に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-28318 KEV | SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update | [email protected] | 7.5 | 6.68% | 2026-06-04 | 2026-06-05 |
| CVE-2025-40541 | An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.04% | 2026-02-24 | 2026-02-24 |
| CVE-2025-40540 | A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.06% | 2026-02-24 | 2026-02-24 |
| CVE-2025-40539 | A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.06% | 2026-02-24 | 2026-02-24 |
| CVE-2025-40538 | A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.06% | 2026-02-24 | 2026-02-24 |
| CVE-2025-40549 | A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled. | [email protected] | 9.1 | 0.09% | 2025-11-18 | 2025-12-02 |
| CVE-2025-40548 | A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.06% | 2025-11-18 | 2025-12-02 |
| CVE-2025-40547 | A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.07% | 2025-11-18 | 2025-12-02 |
| CVE-2024-45712 | SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low. | [email protected] | 2.6 | 0.09% | 2025-04-15 | 2025-11-18 |
| CVE-2024-45714 | Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload. | [email protected] | 4.8 | 0.28% | 2024-10-16 | 2024-10-30 |
| CVE-2024-45711 | SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are abused. Authentication is required for this vulnerability | [email protected] | 7.5 | 10.69% | 2024-10-16 | 2024-10-17 |
| CVE-2024-28995 KEV | SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. | [email protected] | 8.6 | 94.37% | 2024-06-06 | 2026-02-26 |
| CVE-2024-28072 | A highly privileged account can overwrite arbitrary files on the system with log output. The log file path tags were not sanitized properly. | [email protected] | 5.7 | 0.20% | 2024-05-03 | 2025-02-25 |
| CVE-2024-28073 | SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited. | [email protected] | 8.4 | 0.30% | 2024-04-17 | 2025-02-10 |
| CVE-2023-40053 | A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. | [email protected] | 5.0 | 0.06% | 2023-12-06 | 2024-11-21 |
| CVE-2023-40060 | A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the issue was not completely fixed in 15.4 Hotfix 1. | [email protected] | 7.2 | 0.03% | 2023-09-07 | 2024-11-21 |
| CVE-2023-35179 | A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. | [email protected] | 7.2 | 0.06% | 2023-08-11 | 2024-11-21 |
| CVE-2023-23841 | SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request. Part of the URL of the request discloses sensitive data. | [email protected] | 7.5 | 0.07% | 2023-06-15 | 2026-02-25 |
| CVE-2022-38106 | This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. | [email protected] | 5.4 | 4.65% | 2022-12-16 | 2026-02-25 |
| CVE-2021-35252 | Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext. | [email protected] | 7.5 | 0.32% | 2022-12-16 | 2024-11-21 |