VYPR

Serv U

by Rhinosoft

CVEs (24)

  • CVE-2021-35211KEVJul 14, 2021
    risk 0.26cvss epss 0.91

    Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File…

  • CVE-2024-28995KEVJun 6, 2024
    risk 0.23cvss epss 1.00

    SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

  • CVE-2021-35247KEVJan 7, 2022
    risk 0.12cvss epss 0.03

    Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers…

  • CVE-2009-4006Nov 20, 2009
    risk 0.10cvss epss 0.83

    Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote attackers to execute arbitrary code via a long hexadecimal string.

  • CVE-2004-2111Dec 31, 2004
    risk 0.10cvss epss 0.87

    Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.

  • CVE-2004-0330Nov 23, 2004
    risk 0.10cvss epss 0.85

    Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command.

  • CVE-2021-35250Apr 25, 2022
    risk 0.06cvss epss 0.14

    A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

  • CVE-2009-4873May 26, 2010
    risk 0.05cvss epss 0.21

    Stack-based buffer overflow in the HTTP server in Rhino Software Serv-U Web Client 9.0.0.5 allows remote attackers to cause a denial of service (server crash) or execute arbitrary code via a long Session cookie.

  • CVE-1999-0838Dec 1, 1999
    risk 0.03cvss epss 0.02

    Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a denial of service via the SITE command.

  • CVE-2024-45711Oct 16, 2024
    risk 0.01cvss epss 0.06

    SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are…

  • CVE-2025-40541Feb 24, 2026
    risk 0.00cvss epss 0.01

    An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is…

  • CVE-2025-40539Feb 24, 2026
    risk 0.00cvss epss 0.00

    A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium…

  • CVE-2025-40538Feb 24, 2026
    risk 0.00cvss epss 0.01

    A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative…

  • CVE-2025-40549Nov 18, 2025
    risk 0.00cvss epss 0.01

    A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium…

  • CVE-2025-40547Nov 18, 2025
    risk 0.00cvss epss 0.01

    A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because…

  • CVE-2024-45712Apr 15, 2025
    risk 0.00cvss epss 0.00

    SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low.

  • CVE-2024-28073Apr 17, 2024
    risk 0.00cvss epss 0.01

    SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited.

  • CVE-2023-40060Sep 7, 2023
    risk 0.00cvss epss 0.01

    A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4.  SolarWinds found that the…

  • CVE-2023-35179Aug 10, 2023
    risk 0.00cvss epss 0.01

    A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 

  • CVE-2023-23841Jun 15, 2023
    risk 0.00cvss epss 0.00

    SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.  Part of the URL of the request discloses sensitive data.

Page 1 of 2