Serv-U MFT

CVEs (34)

CVE	Vendor / Product	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2021-35247	Rhinosoft Serv U	0.12	—	0.05	KEV	Jan 7, 2022	Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers…
CVE-2019-12181	SolarWinds Serv-U MFT	0.07	—	0.53		Jun 17, 2019	A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
CVE-2021-35250	Rhinosoft Serv U	0.06	—	0.81		Apr 25, 2022	A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.
CVE-2020-15541	SolarWinds Serv-U MFT	0.02	—	0.21		Jul 5, 2020	SolarWinds Serv-U FTP server before 15.2.1 allows remote command execution.
CVE-2024-45711	Rhinosoft Serv U	0.01	—	0.11		Oct 16, 2024	SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are…
CVE-2021-35223	SolarWinds Serv U File Server	0.01	—	0.11		Aug 31, 2021	The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote code execution.
CVE-2025-40541	Rhinosoft Serv U	0.00	—	0.00		Feb 24, 2026	An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is…
CVE-2025-40540	SolarWinds Serv-U MFT	0.00	—	0.00		Feb 24, 2026	A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium…
CVE-2025-40539	Rhinosoft Serv U	0.00	—	0.00		Feb 24, 2026	A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium…
CVE-2025-40538	Rhinosoft Serv U	0.00	—	0.00		Feb 24, 2026	A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative…
CVE-2025-40549	Rhinosoft Serv U	0.00	—	0.00		Nov 18, 2025	A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium…
CVE-2025-40548	SolarWinds Serv-U MFT	0.00	—	0.00		Nov 18, 2025	A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services…
CVE-2025-40547	Rhinosoft Serv U	0.00	—	0.00		Nov 18, 2025	A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because…
CVE-2024-45712	Rhinosoft Serv U	0.00	—	0.00		Apr 15, 2025	SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low.
CVE-2024-45714	SolarWinds Serv-U MFT	0.00	—	0.00		Oct 16, 2024	Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload.
CVE-2024-28072	SolarWinds Serv-U MFT	0.00	—	0.00		May 3, 2024	A highly privileged account can overwrite arbitrary files on the system with log output. The log file path tags were not sanitized properly.
CVE-2023-40053	SolarWinds Serv-U MFT	0.00	—	0.00		Dec 6, 2023	A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously.
CVE-2023-40060	Rhinosoft Serv U	0.00	—	0.00		Sep 7, 2023	A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the…
CVE-2023-35179	Rhinosoft Serv U	0.00	—	0.00		Aug 10, 2023	A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action.
CVE-2022-38106	SolarWinds Serv U File Server	0.00	—	0.05		Dec 16, 2022	This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.

CVE-2021-35247KEVJan 7, 2022
Rhinosoft
Serv U
risk 0.12cvss —epss 0.05
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers…
CVE-2019-12181Jun 17, 2019
SolarWinds
Serv-U MFT
risk 0.07cvss —epss 0.53
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
CVE-2021-35250Apr 25, 2022
Rhinosoft
Serv U
risk 0.06cvss —epss 0.81
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.
CVE-2020-15541Jul 5, 2020
SolarWinds
Serv-U MFT
risk 0.02cvss —epss 0.21
SolarWinds Serv-U FTP server before 15.2.1 allows remote command execution.
CVE-2024-45711Oct 16, 2024
Rhinosoft
Serv U
risk 0.01cvss —epss 0.11
SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are…
CVE-2021-35223Aug 31, 2021
SolarWinds
Serv U File Server
risk 0.01cvss —epss 0.11
The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote code execution.
CVE-2025-40541Feb 24, 2026
Rhinosoft
Serv U
risk 0.00cvss —epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is…
CVE-2025-40540Feb 24, 2026
SolarWinds
Serv-U MFT
risk 0.00cvss —epss 0.00
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium…
CVE-2025-40539Feb 24, 2026
Rhinosoft
Serv U
risk 0.00cvss —epss 0.00
A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium…
CVE-2025-40538Feb 24, 2026
Rhinosoft
Serv U
risk 0.00cvss —epss 0.00
A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative…
CVE-2025-40549Nov 18, 2025
Rhinosoft
Serv U
risk 0.00cvss —epss 0.00
A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium…
CVE-2025-40548Nov 18, 2025
SolarWinds
Serv-U MFT
risk 0.00cvss —epss 0.00
A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services…
CVE-2025-40547Nov 18, 2025
Rhinosoft
Serv U
risk 0.00cvss —epss 0.00
A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because…
CVE-2024-45712Apr 15, 2025
Rhinosoft
Serv U
risk 0.00cvss —epss 0.00
SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low.
CVE-2024-45714Oct 16, 2024
SolarWinds
Serv-U MFT
risk 0.00cvss —epss 0.00
Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload.
CVE-2024-28072May 3, 2024
SolarWinds
Serv-U MFT
risk 0.00cvss —epss 0.00
A highly privileged account can overwrite arbitrary files on the system with log output. The log file path tags were not sanitized properly.
CVE-2023-40053Dec 6, 2023
SolarWinds
Serv-U MFT
risk 0.00cvss —epss 0.00
A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously.
CVE-2023-40060Sep 7, 2023
Rhinosoft
Serv U
risk 0.00cvss —epss 0.00
A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the…
CVE-2023-35179Aug 10, 2023
Rhinosoft
Serv U
risk 0.00cvss —epss 0.00
A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action.
CVE-2022-38106Dec 16, 2022
SolarWinds
Serv U File Server
risk 0.00cvss —epss 0.05
This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.

Page 1 of 2