CVE-2025-40538

Name of the Vulnerable Software and Affected Versions Serv-U versions prior to 15.5.4 Serv-U 15.5

Description A broken access control issue exists in Serv-U, potentially allowing a malicious actor with administrative privileges to create a system administrator user and execute arbitrary code with privileged rights. Exploitation requires administrative access. Approximately 12,000 instances are reported as exposed. The issue is scored as critical with a CVSS score of 9.1. Successful exploitation can lead to remote code execution (RCE), privilege escalation, and full server takeover. The vulnerability involves broken access control, type confusion bugs, and IDOR (Insecure Direct Object Reference) flaws.

Recommendations Update Serv-U to version 15.5.4 immediately. Audit Serv-U admin access to minimize the impact if privileged credentials are compromised. Restrict access to the vulnerable module to minimize the risk of exploitation. As a temporary workaround, consider disabling the vulnerable function until a patch is available.