Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting SolarWinds Serv-U multi-protocol file server software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-28318 (CVSS score: 7.5), is a denial-of-service (DoS) bug that causes the service to crash
Analysis Summary
# Vulnerability: SolarWinds Serv-U Uncontrolled Resource Consumption (DoS)
## CVE Details
- **CVE ID:** CVE-2026-28318
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** SolarWinds Serv-U multi-protocol file server
- **Versions:** All versions prior to 15.5.4 HF1
- **Configurations:** Systems exposed to the public internet or untrusted networks are at highest risk.
## Vulnerability Description
CVE-2026-28318 is a denial-of-service (DoS) flaw caused by the improper handling of specially chartered HTTP requests. The vulnerability resides in the way the Serv-U service processes `POST` requests utilizing `Content-Encoding: deflate`. An attacker can send a malicious request that consumes excessive resources, leading to a service crash. Notably, this flaw can be triggered without authentication.
## Exploitation
- **Status:** Actively exploited in the wild (Added to CISA KEV catalog)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The primary impact is service disruption and application crashes)
## Remediation
### Patches
- SolarWinds has released **Serv-U version 15.5.4 HF1** to address this vulnerability. Administrators should upgrade immediately.
### Workarounds
- **Inbound Filtering:** Block any incoming HTTP requests that contain the `Content-Encoding` header, as the Serv-U service does not require this functionality for standard operations.
- **Access Control:** Restrict access to the Serv-U interface to known, trusted IP addresses using firewall allow-lists or VPNs.
## Detection
- **Indicators of Compromise:** Monitor for unexpected service crashes or "Service Unavailable" errors in Serv-U logs.
- **Detection methods and tools:**
- Inspect web server/proxy logs for unauthenticated `POST` requests utilizing `Content-Encoding: deflate`.
- Utilize network-based intrusion detection systems (IDS) to flag or drop packets containing the specific deflate encoding header directed at Serv-U ports.
## References
- **SolarWinds Advisory:** hxxps://www[.]solarwinds[.]com/trust-center/security-advisories/cve-2026-28318
- **CISA KEV Catalog:** hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **The Hacker News Article:** hxxps://thehackernews[.]com/2026/06/cisa-adds-actively-exploited-solarwinds.html