VYPR

Serv-U MFT

by SolarWinds

CVEs (39)

  • CVE-2021-35211CriKEVJul 14, 2021
    risk 0.84cvss 9.0epss 0.91

    Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File…

  • CVE-2024-28995HigKEVJun 6, 2024
    risk 0.79cvss 8.6epss 1.00

    SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

  • CVE-2019-12181HigJun 17, 2019
    risk 0.65cvss 8.8epss 0.66

    A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.

  • CVE-2020-35481CriFeb 3, 2021
    risk 0.64cvss 9.8epss 0.01

    SolarWinds Serv-U before 15.2.2 allows Unauthenticated Macro Injection.

  • CVE-2026-28318HigKEVJun 4, 2026
    risk 0.61cvss 7.5epss 0.11

    SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the…

  • CVE-2025-40549CriNov 18, 2025
    risk 0.59cvss 9.1epss 0.01

    A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium…

  • CVE-2025-40548CriNov 18, 2025
    risk 0.59cvss 9.1epss 0.01

    A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services…

  • CVE-2025-40547CriNov 18, 2025
    risk 0.59cvss 9.1epss 0.01

    A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because…

  • CVE-2019-12769HigMar 18, 2020
    risk 0.57cvss 8.8epss 0.01

    SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters.

  • CVE-2024-28073HigApr 17, 2024
    risk 0.55cvss 8.4epss 0.01

    SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited.

  • CVE-2021-35245HigDec 6, 2021
    risk 0.55cvss 8.4epss 0.01

    When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine.

  • CVE-2021-35223HigAug 31, 2021
    risk 0.55cvss 8.5epss 0.03

    The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote code execution.

  • CVE-2021-35242HigDec 6, 2021
    risk 0.54cvss 8.3epss 0.01

    Serv-U server responds with valid CSRFToken when the request contains only Session.

  • CVE-2021-35250HigApr 25, 2022
    risk 0.50cvss 7.5epss 0.14

    A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

  • CVE-2024-45711HigOct 16, 2024
    risk 0.49cvss 7.5epss 0.06

    SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are…

  • CVE-2023-23841HigJun 15, 2023
    risk 0.49cvss 7.5epss 0.00

    SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.  Part of the URL of the request discloses sensitive data.

  • CVE-2021-3154HigMay 4, 2021
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection. NOTE: this had a distinct fix relative to CVE-2020-35481.

  • CVE-2018-10240HigMay 16, 2018
    risk 0.48cvss 7.3epss 0.01

    SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the…

  • CVE-2023-40060HigSep 7, 2023
    risk 0.47cvss 7.2epss 0.01

    A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4.  SolarWinds found that the…

  • CVE-2023-35179HigAug 11, 2023
    risk 0.47cvss 7.2epss 0.01

    A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 

Page 1 of 2