CVE-2025-40538 in Serv-U
Summary
by MITRE • 02/24/2026
A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges.
This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/25/2026
The vulnerability identified as CVE-2025-40538 represents a critical broken access control flaw within the Serv-U file transfer server software that fundamentally undermines the security posture of affected systems. This weakness resides in the authorization mechanisms that govern user privilege escalation and system administration capabilities within the software's architecture. The vulnerability manifests when an attacker with sufficient privileges can leverage the flawed access control to elevate their privileges to system administrator level, thereby gaining complete control over the affected server and potentially the entire network infrastructure.
The technical exploitation of this vulnerability requires an attacker to first obtain administrative access to the Serv-U service, which typically involves either domain administrator credentials or group administrator privileges within the software's management interface. Once these initial privileges are acquired, the vulnerability allows for the creation of new system administrator accounts and subsequent execution of arbitrary code with elevated privileges. This represents a classic privilege escalation attack vector that directly violates the principle of least privilege and undermines the fundamental security model of the software. The flaw likely stems from improper input validation or insufficient authorization checks within the user management and privilege assignment modules of Serv-U's codebase.
The operational impact of CVE-2025-40538 extends far beyond the immediate compromise of individual systems, as it provides attackers with a persistent backdoor into network infrastructure through the creation of system admin users. This vulnerability can enable attackers to establish long-term access to sensitive data, modify system configurations, install malicious software, and potentially pivot to other systems within the network. The ability to execute arbitrary code as a privileged account creates a significant risk for data breaches, system corruption, and unauthorized access to confidential information. Organizations running Serv-U in production environments face potential exposure to advanced persistent threats and insider threats that can leverage this vulnerability for comprehensive system compromise.
The risk assessment for this vulnerability varies significantly based on deployment environment, with Windows systems typically scoring the risk as medium due to the default practice of running services under less-privileged accounts. However, this medium scoring does not diminish the severity of the vulnerability, as it still represents a critical security weakness that can be exploited to achieve system compromise. The vulnerability aligns with CWE-284, which specifically addresses improper access control and inadequate authorization mechanisms in software systems. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques and persistence mechanisms that attackers commonly employ to maintain access to compromised systems. Organizations should implement immediate mitigations including restricting administrative access to Serv-U, applying vendor patches when available, and monitoring for unauthorized user creation or privilege escalation attempts. Network segmentation and regular security audits become crucial defensive measures to limit the potential impact of exploitation, while comprehensive incident response procedures should be established to address potential compromise scenarios.