SolarWinds Serv-U CVE-2026-28318 exploitation

Summary

CVE-2026-28318 is an unauthenticated denial-of-service vulnerability in SolarWinds Serv-U. SolarWinds says specially crafted HTTP POST requests with Content-Encoding: deflate can crash the Serv-U service, and CISA added the flaw to the Known Exploited Vulnerabilities catalog on June 5, 2026.

The durable threat-intelligence value is not code execution; it is availability pressure against exposed managed-file-transfer infrastructure. A low-complexity unauthenticated crash primitive can disrupt file-transfer operations, mask other activity, or become a repeated outage path while defenders are handling other edge-service risk.

Tags

• ops
• operations
• SolarWinds
• Serv-U
• CVE-2026-28318
• active exploitation
• managed file transfer
• denial of service
• edge service
• incident response

Why this matters

• Serv-U is commonly deployed as internet-facing file-transfer infrastructure, making even availability-only bugs operationally disruptive.
• The vulnerable request is unauthenticated and network reachable; public sources reviewed here do not require user interaction or prior access.
• CISA KEV inclusion confirms known exploitation and sets a June 19, 2026 remediation due date for covered federal agencies.
• A crash loop against file-transfer infrastructure can interrupt business processes and may obscure concurrent credential, web-shell, or data-staging investigations.

Operational characteristics

• Affected product: SolarWinds Serv-U 15.5.4 and below.
• Fixed release: SolarWinds Serv-U 15.5.4 HF1.
• Exploit primitive: unauthenticated HTTP POST request using a Content-Encoding: deflate header that can crash the Serv-U service.
• Impact: availability only in public scoring reviewed here; SolarWinds' CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
• CWE: CISA and NVD list CWE-400, uncontrolled resource consumption.
• Known exploitation: CISA added the CVE to KEV on June 5, 2026; the KEV entry lists known ransomware campaign use as unknown.
• Attribution: no public actor or malware attribution was identified in the reviewed CISA, NVD, or SolarWinds sources.

Defender heuristics

• Inventory externally reachable Serv-U hosts and prioritize upgrade to 15.5.4 HF1.
• If upgrade cannot happen immediately, follow SolarWinds' compensating controls: limit access to known addresses where possible and block POST requests containing a Content-Encoding header value of deflate at a WAF, reverse proxy, or edge filter.
• Review web access logs, reverse-proxy logs, WAF logs, and Serv-U service restart/crash telemetry for unauthenticated POST requests with Content-Encoding: deflate.
• Preserve outage and access logs before restarting or patching if repeated crashes occurred; availability attacks against managed-file-transfer services can coincide with credential guessing, path probing, or data-staging attempts.
• Treat confirmed exploitation as an edge-service incident: validate exposed accounts, recent file-transfer activity, administrative logins, configuration changes, and unexpected inbound source patterns even if the CVE itself is scored as denial of service.

Related pages

• ConnectWise ScreenConnect exploitation wave
• PAN-OS GlobalProtect CVE-2026-0257 exploitation
• Trend Micro Apex One CVE-2026-34926 exploitation

Sources

• CISA KEV JSON: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• CISA KEV catalog page: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• SolarWinds advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28318