Vendor scorecard
SolarWinds
SolarWinds security disclosure record — CVE volume, CVSS severity mix and product-category breakdown, sourced from the NIST NVD.
CPE: solarwinds
Product families
2
Open in latest
46
Inferred — see methodology
Last disclosure
Jun 4, 2026
01
Product categories
2 trackedCVE volume, severity mix and the inferred latest shipping version per category.
| Category | CVEs | Volume | Severity mix | Open | Inferred latest |
|---|---|---|---|---|---|
| Serv-UNetwork Management & Monitoringserv-u | 11 | 11 | 15.5.4HIGH | ||
| Orion / Network Performance MonitorNetwork Management & Monitoringorion_platform, network_performance_monitor, network_configuration_manager | 0 | 35 | 2023.4MED |
02
Recent CVEs
11 shownMost recently published, newest first. Each ID links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2026-28318(opens NVD record) | High | 7.5 | SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update | Jun 4, 2026 |
| CVE-2025-40541(opens NVD record) | Critical | 9.1 | An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | Feb 24, 2026 |
| CVE-2025-40540(opens NVD record) | Critical | 9.1 | A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | Feb 24, 2026 |
| CVE-2025-40539(opens NVD record) | Critical | 9.1 | A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | Feb 24, 2026 |
| CVE-2025-40538(opens NVD record) | Critical | 9.1 | A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | Feb 24, 2026 |
| CVE-2025-40549(opens NVD record) | Critical | 9.1 | A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled. | Nov 18, 2025 |
| CVE-2025-40548(opens NVD record) | Critical | 9.1 | A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | Nov 18, 2025 |
| CVE-2025-40547(opens NVD record) | Critical | 9.1 | A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | Nov 18, 2025 |
| CVE-2024-45712(opens NVD record) | Low | 2.6 | SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low. | Apr 15, 2025 |
| CVE-2024-45714(opens NVD record) | Medium | 4.8 | Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload. | Oct 16, 2024 |
| CVE-2024-45711(opens NVD record) | High | 7.5 | SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are abused. Authentication is required for this vulnerability | Oct 16, 2024 |
11 CVEs · 2 product families