CVE-2026-28318 High Patch Available

CVE-2026-28318: SolarWinds Serv-U Unauthenticated DoS via Deflate Header

Vuln Brief Research Team · · CVSS 7.5

CVE Details

CVE ID CVE-2026-28318
CVSS Score 7.5
Severity High
Vendor SolarWinds
Product Serv-U
Patch Status Available
Published June 6, 2026
EPSS Score 0.1%
CISA Patch Deadline June 27, 2026

Background

SolarWinds Serv-U is a managed file transfer (MFT) and SFTP server platform widely deployed by enterprises, government agencies, and healthcare organisations for secure file sharing and transfer automation. Serv-U exposes FTP, FTPS, SFTP, HTTP, and HTTPS interfaces, making it a network-accessible service with a large attack surface.

SolarWinds products have attracted persistent threat actor attention since the 2020 SUNBURST supply chain compromise. Serv-U specifically was targeted by a Chinese nation-state actor in 2021 via CVE-2021-35211 (a memory escape vulnerability exploited in-the-wild before disclosure). CVE-2026-28318 is a denial-of-service vulnerability that allows any unauthenticated attacker to crash the Serv-U service process, disrupting file transfer operations. CISA added this to the KEV catalogue with a remediation due date of 2026-06-19.

Technical Mechanism

CVE-2026-28318 is an uncontrolled resource consumption vulnerability (CWE-400) in the HTTP/HTTPS request handling layer of SolarWinds Serv-U. The vulnerability is triggered by sending a POST request with a Content-Encoding: deflate header to the Serv-U web interface.

The likely mechanism:

  1. An attacker sends a POST request to any HTTP/HTTPS endpoint on the Serv-U web interface
  2. The request includes Content-Encoding: deflate in the request headers
  3. Serv-U’s HTTP server attempts to decompress the request body using the deflate algorithm
  4. The decompression handler does not enforce limits on resource consumption — either memory allocation, CPU cycles, or both
  5. The decompression operation consumes excessive resources, causing the Serv-U service to crash or become unresponsive
  6. No authentication is required — the vulnerability exists in the pre-authentication request parsing path

This class of vulnerability is sometimes called a “decompression bomb” or “zip bomb” variant: specially crafted compressed data can expand to many times its original size, exhausting the target’s memory or CPU before the operation is complete. Because the vulnerability is in the HTTP header processing layer, it is reachable without any prior authentication, meaning any network-accessible Serv-U instance is a viable target.

Attack complexity: Low. The attack requires only an HTTP client capable of sending custom headers and a minimal POST body. No credentials, no prior reconnaissance of the target’s configuration, and no exploitation of memory corruption are required.

Real-World Exploitation Evidence

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalogue with a remediation deadline of 2026-06-19, indicating confirmed in-the-wild exploitation. The low exploitation barrier — unauthenticated, single request, no specialised tooling — makes it accessible to a wide range of threat actors:

  • Ransomware operators — Serv-U downtime directly disrupts file transfer workflows; forcing a service crash ahead of or alongside encryption operations maximises operational disruption
  • Hacktivists and opportunistic attackers — unauthenticated DoS against a well-known brand with a public-facing service is a common pattern
  • Advanced persistent threat groups — crashing Serv-U can disrupt security monitoring, log forwarding, and incident response file transfers; used as a component of a broader intrusion

Serv-U’s prevalence in regulated industries (healthcare, finance, government) makes availability disruption particularly impactful.

Impact Assessment

A successful exploitation crashes the Serv-U service process. Depending on the deployment configuration:

  • File transfer operations halt — automated SFTP/FTP workflows, scheduled transfers, and real-time file sharing all stop until the service is restarted
  • Web interface unavailability — administrative access to manage Serv-U is lost until restart
  • Log gaps — if Serv-U is restarted after a crash, log continuity may be disrupted
  • High availability failover — organisations without HA configurations will experience unplanned downtime; those with HA may see transient disruption during failover

This is a pure availability impact. There is no evidence that CVE-2026-28318 enables credential theft, data exfiltration, or remote code execution. However, repeated crash-and-restart cycles can be used to suppress logging and monitoring activity in a targeted environment.

Affected Versions

ComponentAffected VersionsFixed Version
SolarWinds Serv-UPrior to 15.5.4 Hotfix 1Serv-U 15.5.4 Hotfix 1
Serv-U MFT ServerPrior to 15.5.4 Hotfix 1Serv-U 15.5.4 Hotfix 1
Serv-U FTP ServerPrior to 15.5.4 Hotfix 1Serv-U 15.5.4 Hotfix 1

Consult the SolarWinds Security Advisory for the full list of affected product variants and build numbers.

Remediation Steps

  1. Apply Serv-U 15.5.4 Hotfix 1 immediately — this is the vendor-provided fix; no other mitigation fully addresses the vulnerability
  2. Restrict network access to Serv-U interfaces — if Serv-U does not need to be internet-accessible, place it behind a firewall and restrict access to authorised source IP ranges only
  3. Deploy a reverse proxy or WAF — if Serv-U must be internet-accessible, placing a reverse proxy in front of it can filter malformed requests before they reach the service
  4. Enable automatic service restart — ensure the Serv-U Windows service (or Linux daemon) is configured to restart automatically on crash while patching is arranged; this limits downtime but does not prevent the attack
  5. Monitor for repeated crash events — configure alerting on Serv-U service restart events; multiple crashes in a short window indicate active exploitation
  6. Review access logs prior to patching — look for patterns of POST requests with unusual Content-Encoding headers that may indicate reconnaissance or exploitation attempts

Detection Guidance

Windows Event Logs:

  • Event ID 7034: Service control manager — “Serv-U” service terminated unexpectedly
  • Event ID 7036: Service started/stopped events for Serv-U
  • Repeated 7034 events within a short window indicate likely exploitation

Serv-U access logs — look for:

POST /any-endpoint HTTP/1.1
Content-Encoding: deflate

Filter for POST requests with Content-Encoding: deflate originating from unexpected or external IP addresses.

SIEM query example (Splunk):

index=servu_access OR index=windows_events
| eval is_crash=(EventCode=7034 AND ServiceName="Serv-U")
| eval is_exploit_attempt=(method="POST" AND request_headers="*deflate*")
| stats count by src_ip, is_crash, is_exploit_attempt
| where count > 3
| sort -count

Network-level detection:

  • IDS/IPS rule: flag POST requests to Serv-U HTTP/HTTPS ports (typically 80, 443, 8080) with Content-Encoding: deflate in the headers from non-whitelisted source addresses

Timeline

DateEvent
2026CVE-2026-28318 identified in SolarWinds Serv-U HTTP request handling
2026-Q2SolarWinds releases Serv-U 15.5.4 Hotfix 1 addressing the vulnerability
2026-06-06CISA adds CVE-2026-28318 to KEV catalogue
2026-06-19CISA remediation due date for federal agencies
2026-06-06This analysis published

References

Tags

solarwindsserv-udosuncontrolled-resource-consumptioncisa-kevfile-transfer

Related Analysis

CVE-2026-45247 Critical

CVE-2026-45247: Mirasvit Full Page Cache Warmer — Unauthenticated PHP Object Injection RCE

Mirasvit

CVE-2022-0492 High

CVE-2022-0492: Linux Kernel cgroups v1 — Container Escape and Privilege Escalation

Linux

CVE-2025-48595 High

CVE-2025-48595: Android Framework — Integer Overflow Enabling Local Privilege Escalation

Android