CVE-2025-40549CRITICAL 9.1EPSS p57.7%

CVE-2025-40549CVE-2025-40549

Description

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.98% probability of exploitation · percentile 57.7% · 2026-06-19T12:03:05Z
Published2025-11-18
Last modified2025-12-02

Underlying weaknesses· 1

CWE-22

References

  1. https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm
  2. https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-40547
CVE
CVE-2025-40548
CVE
CVE-2025-57790
CVE
SolarWinds Serv-U Path Traversal Vulnerability
CVE
CVE-2025-53120
CVE
CVE-2025-1127
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.