SolarWinds Serv-U is vulnerable to an unauthenticated denial-of-service condition where specially crafted POST requests using the Content-Encoding: deflate header crash the Serv-U service, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-05.
What Is It
CVE-2026-28318 is an uncontrolled resource consumption vulnerability (CWE-400) in SolarWinds Serv-U. According to the vendor advisory and NVD description, an attacker can send specially crafted POST requests with a Content-Encoding: deflate header to crash the Serv-U service. No authentication is required to trigger the condition.
The flaw carries a CVSS 3.1 base score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, network-reachable, low complexity, no privileges, no user interaction, and a high availability impact with no confidentiality or integrity impact.
Why It Matters
CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-06-05, indicating it warrants prioritized remediation. Known ransomware campaign use is listed as Unknown at this time. Because the bug is unauthenticated and crashes the service, any internet-exposed Serv-U instance can be knocked offline by an attacker who can reach the listener, making this a direct availability risk for file-transfer workflows that depend on Serv-U uptime.
What's Vulnerable
Per the NVD CPE configuration, the following are affected:
cpe:2.3:a:solarwinds:serv-uversions prior to 15.5.4cpe:2.3:a:solarwinds:serv-u:15.5.4(base release, without the hotfix)
Fixed state is delivered via the Serv-U 15.5.4 Hotfix 1 release.
Patch Status
SolarWinds has published Serv-U 15.5.4 Hotfix 1, referenced in the vendor release notes. The NVD description also notes that mitigation steps are provided in the SolarWinds Trust Center for customers who cannot immediately deploy the update.
CISA's required action (due 2026-06-19) is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.