CVE-2025-40549 — CVSS 9.1 (critical): A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the…
CVE-2025-40538 — CVSS 9.1 (critical): A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin…
CVE-2025-40539 — CVSS 9.1 (critical): A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code…
CVE-2025-40547 — CVSS 9.1 (critical): A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to…
CVE-2025-40548 — CVSS 9.1 (critical): A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to…
CVE-2025-40541 — CVSS 9.1 (critical): An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to…
CVE-2025-40540 — CVSS 9.1 (critical): A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code…
CVE-2021-35223 — CVSS 8.5 (high): The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied…
CVE-2024-28073 — CVSS 8.4 (high): SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly…
CVE-2021-35245 — CVSS 8.4 (high): When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host…
CVE-2020-15574 — CVSS 7.5 (high): SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893.
CVE-2020-15576 — CVSS 7.5 (high): SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response.
CVE-2021-3154 — CVSS 7.5 (high): An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection…
CVE-2021-35250 — CVSS 7.5 (high): A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U…
CVE-2021-35252 — CVSS 7.5 (high): Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is…
CVE-2023-23841 — CVSS 7.5 (high): SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request. Part of the URL of…
CVE-2024-45711 — CVSS 7.5 (high): SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges…
CVE-2018-10240 — CVSS 7.3 (high): SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the…
CVE-2023-35179 — CVSS 7.2 (high): A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor…
CVE-2023-40060 — CVSS 7.2 (high): A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass…
CVE-2021-25276 — CVSS 7.1 (high): In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that…
CVE-2018-10241 — CVSS 6.5 (medium): A denial of service vulnerability in SolarWinds Serv-U before 15.1.6 HFv1 allows an authenticated user to crash the application (with a…
CVE-2020-15575 — CVSS 6.1 (medium): SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194.
CVE-2020-15573 — CVSS 6.1 (medium): SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421.
CVE-2024-28072 — CVSS 5.7 (medium): A highly privileged account can overwrite arbitrary files on the system with log output. The log file path tags were not sanitized properly.
CVE-2022-38106 — CVSS 5.4 (medium): This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.
CVE-2021-32604 — CVSS 5.4 (medium): Share/IncomingWizard.htm in SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter, aka "Share URL XSS."
CVE-2023-40053 — CVSS 5.0 (medium): A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function…
CVE-2024-45714 — CVSS 4.8 (medium): Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a…
CVE-2021-35249 — CVSS 4.3 (medium): This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains…
CVE-2024-45712 — CVSS 2.6 (low): SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an…