SolarWinds Serv-U CVE-2026-28318 (CVSS 7.5) DoS

SolarWinds Serv-U, a multi-protocol file server software, is currently impacted by an actively exploited denial-of-service (DoS) vulnerability, identified as CVE-2026-28318. This high-severity flaw carries a CVSS score of 7.5, indicating a substantial risk to the availability of affected systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog, showing its immediate threat and confirmed in-the-wild exploitation.

The vulnerability stems from an uncontrolled resource consumption issue, triggered by specially crafted POST requests. These requests use Content-Encoding: deflate and do not require authentication. They can cause the Serv-U service to crash, disrupting file transfer operations and impacting business continuity. Organizations deploying SolarWinds Serv-U must prioritize remediation efforts to mitigate the risk posed by this actively exploited flaw.

This post analyzes CVE-2026-28318, covering its technical characteristics, impact, affected versions, and guidance for detection and remediation. The presence of this vulnerability in the CISA KEV catalog requires immediate attention from all federal civilian executive branch (FCEB) agencies, who have been directed to apply patches by June 19, 2026. This directive also warns private sector entities globally.

Impact

Successful exploitation of CVE-2026-28318 results in an availability impact, specifically a denial-of-service condition. An unauthenticated attacker can trigger a crash of the SolarWinds Serv-U service by sending specially crafted POST requests. CISA describes this as an "uncontrolled resource consumption" vulnerability, where the service is forced to consume excessive system resources (such as memory or CPU cycles) until it becomes unresponsive or terminates abruptly.

For organizations reliant on SolarWinds Serv-U for secure file transfer and exchange, a service crash translates directly into operational disruption. File uploads, downloads, and data transfer functions would cease, potentially halting business processes, impairing data sharing, and impacting overall productivity. While CVE-2026-28318 does not inherently lead to data theft or direct system compromise in terms of confidentiality or integrity, the loss of availability can have severe financial and reputational consequences, particularly for entities handling sensitive or time-critical information.

CVE-2026-28318's inclusion in CISA's Known Exploited Vulnerabilities catalog means real-world attacks are occurring. This changes the vulnerability from a theoretical risk to an immediate threat, directly risking operational disruption for organizations using SolarWinds Serv-U. The CVSS score of 7.5 further shows its severity, as it is a high-severity flaw that is easy to exploit and directly impacts service availability. The CISA mandate for FCEB agencies to address the flaw by a specific deadline shows the urgency and criticality of this vulnerability across all sectors.

What is CVE-2026-28318 and its exploitation chain?

CVE-2026-28318 is a denial-of-service vulnerability affecting SolarWinds Serv-U that allows an unauthenticated attacker to crash the service. The exploitation chain for this vulnerability involves an attacker sending specially crafted POST requests to the vulnerable Serv-U instance. These requests specifically use the Content-Encoding: deflate header.

The vulnerability arises because SolarWinds Serv-U is susceptible to an uncontrolled resource consumption issue when processing these particular requests. While available advisories do not fully detail the exact technical mechanism causing the resource consumption, the service's handling of the deflate content encoding, possibly during decompression or parsing, leads to excessive resource allocation or consumption. This causes the Serv-U process to become unstable and terminate, resulting in a DoS condition. The fact that this can be achieved without authentication significantly lowers the bar for an attacker, as no prior credentials or access are required to initiate the attack.

The active exploitation status, as confirmed by CISA, indicates that threat actors have developed and are deploying exploits for CVE-2026-28318 in real-world environments. While specific details about the attackers or the nature of campaigns are not publicly available, the addition to the KEV catalog implies that this vulnerability is being used for disruptive purposes. Historically, SolarWinds Serv-U has been a target for various threat actors, including sophisticated groups like the Cl0p ransomware gang (which exploited a different vulnerability, CVE-2021-35211, for initial access). This shows why threat actors find Serv-U an appealing attack vector. Our prior analysis of another critical denial-of-service vulnerability, CVE-2026-49975, further demonstrates the potential for severe disruption through such flaws.

Which SolarWinds Serv-U versions are affected?

The SolarWinds Serv-U vulnerability, CVE-2026-28318, affects versions of the software prior to the release of the official patch.

Specifically, the issue has been addressed in SolarWinds Serv-U version 15.5.4 HF1. This means that any installed instance of SolarWinds Serv-U running a version older than 15.5.4 HF1 is susceptible to the denial-of-service flaw. Organizations should verify their current Serv-U installation version immediately.

Affected versions include:

  • SolarWinds Serv-U versions 15.5.4 and earlier.

Organizations are advised to upgrade to the patched version as soon as possible to mitigate the risk of exploitation.

Detection Strategies

Detecting attempts to exploit CVE-2026-28318 primarily involves monitoring network traffic and server logs for specific patterns indicative of the attack vector. Because the vulnerability involves specially crafted POST requests with a specific content encoding, network and application-level logging are crucial.

Concrete detection guidance includes:

  • Network Intrusion Detection/Prevention Systems (NIDS/NIPS) and Firewalls:
  • Configure rules to detect and alert on HTTP POST requests targeting SolarWinds Serv-U services with a Content-Encoding: deflate header. This header is typically not required for normal Serv-U functionality, making its presence a strong indicator of malicious intent.
  • Monitor for a sudden increase in POST requests to Serv-U endpoints, particularly if followed by service disruptions or crashes.
  • Implement traffic shaping or rate limiting for unauthenticated POST requests to the Serv-U port to hinder DoS attempts.
  • Web Server/Application Logs:
  • Review SolarWinds Serv-U access logs and error logs for entries immediately preceding a service crash or restart. Look for HTTP POST requests from suspicious IP addresses.
  • Filter logs for occurrences of Content-Encoding: deflate within incoming request headers. While direct logging of full headers might vary by configuration, some logging mechanisms can capture this information.
  • Look for abnormal process terminations or restart messages in system event logs or Serv-U specific logs.
  • Endpoint Detection and Response (EDR) Systems:
  • While available research does not detail specific EDR queries, general EDR monitoring for abnormal CPU usage, memory spikes, or unexpected process termination of the Serv-U application could indicate an ongoing DoS attack.
  • Monitor for crash dumps or error reports generated by the Serv-U process.
  • Security Information and Event Management (SIEM) Systems:
  • Ingest logs from firewalls, NIDS/NIPS, and SolarWinds Serv-U application logs into a SIEM platform.
  • Create correlation rules to alert on high volumes of Content-Encoding: deflate POST requests followed by Serv-U service outages or restarts.
  • Establish baselines for normal Serv-U resource utilization and alert on significant deviations.

Organizations should also verify the network exposure of their Serv-U instances. If a Serv-U instance is internet-exposed, detection and monitoring become even more critical due to the vulnerability's unauthenticated nature.

Remediation Measures

Addressing CVE-2026-28318 requires immediate action due to its active exploitation status. Organizations should prioritize patching and, where patching is not immediately feasible, implement the specified workarounds.

  • Patching:
  • The primary and most effective remediation is to upgrade SolarWinds Serv-U to version 15.5.4 HF1 or later. This version contains the necessary fix to prevent the uncontrolled resource consumption vulnerability triggered by specially crafted POST requests.
  • Review the official SolarWinds security advisory for CVE-2026-28318 to ensure all prerequisites and post-installation steps for the patch are followed correctly.
  • Workarounds and Mitigations:
  • Limit Access to Known Addresses: Restrict network access to SolarWinds Serv-U to only trusted IP addresses or networks. This can be achieved through firewall rules, network access control lists (ACLs), or security group configurations. By limiting who can connect to the Serv-U instance, the attack surface for unauthenticated exploitation is significantly reduced.
  • Block Requests Containing "Content-Encoding": Implement firewall or web application firewall (WAF) rules to block any HTTP POST requests that include the Content-Encoding header. The SolarWinds advisory indicates the vulnerable service does not require this functionality for legitimate operations. Care should be taken to ensure this rule does not inadvertently block other legitimate web services if the WAF covers more than just the Serv-U application.
  • Disable Public Exposure: If SolarWinds Serv-U does not require internet exposure, remove it from public-facing networks. This reduces the risk surface to internal networks only.
  • Monitoring:
  • Following the implementation of patches or workarounds, maintain vigilant monitoring of SolarWinds Serv-U logs and system performance. Continuously observe for signs of attempted exploitation or abnormal service behavior to confirm the effectiveness of remediations. This includes monitoring for Serv-U process crashes, unusual resource consumption, and network traffic patterns consistent with the described attack.

Organizations should develop an incident response plan for SolarWinds Serv-U instances, given the product's history of critical vulnerabilities, such as CVE-2025-26399. This ensures a coordinated and rapid response if a DoS event occurs despite remediation efforts.

Technical Takeaways

  • CVE-2026-28318 is a high-severity (CVSS 7.5) denial-of-service vulnerability affecting SolarWinds Serv-U.
  • The flaw is caused by uncontrolled resource consumption from unauthenticated, specially crafted POST requests using Content-Encoding: deflate.
  • CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog, confirming active exploitation.
  • The primary remediation is upgrading SolarWinds Serv-U to version 15.5.4 HF1.
  • Effective mitigations include limiting network access to trusted IPs and blocking HTTP POST requests containing the Content-Encoding header via firewall or WAF rules.
  • Continuous monitoring of network traffic and application logs for suspicious POST requests and service instabilities is crucial for detection.