SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability (CVE-2026-28318)

Severity Assessment

• Exploitability: 8/10 — The public descriptions identify an unauthenticated network path using specially crafted POST requests with a Content-Encoding: deflate header.
• Impact: 7/10 — Successful exploitation crashes the Serv-U service, affecting availability but not documented as exposing confidentiality or integrity impact in the cited sources.
• Weaponization Risk: 8/10 — CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on June 5, 2026, confirming observed exploitation, while public sources do not describe payload infrastructure or a named actor.
• Patch Urgency: 10/10 — SolarWinds released Serv-U 15.5.4 Hotfix 1, and CISA set a June 19, 2026 remediation due date for covered federal systems.
• Detection Coverage: 6/10 — The request pattern is narrow enough for WAF and log detection, but a successful attempt may present only as a service crash if web-layer telemetry is incomplete.

Overall Severity: High.

Summary

CVE-2026-28318 is an uncontrolled resource consumption vulnerability in SolarWinds Serv-U. SolarWinds, NVD, and CISA describe the flaw as allowing specially crafted unauthenticated POST requests using the Content-Encoding: deflate header to crash the Serv-U service. CISA lists the issue as a Known Exploited Vulnerability and records ransomware campaign use as unknown.

SolarWinds identifies Serv-U 15.5.4 and earlier as affected and lists Serv-U 15.5.4 Hotfix 1 as the fixed release. The vendor advisory also provides mitigation guidance for environments that cannot immediately deploy the update, including restricting access where possible and blocking POST requests that include Content-Encoding: deflate.

The cited public sources confirm exploitation but do not establish that exploitation occurred before the vendor advisory or before the hotfix release. This entry therefore treats the issue as known exploited, patched activity with unknown first-exploitation timing.

Exploit Chain

Stage 1: Exposed Serv-U Endpoint

An attacker reaches a SolarWinds Serv-U service over the network. The cited descriptions do not require authentication for the crash condition.

Stage 2: Crafted POST Request

The attacker sends a specially crafted POST request with a Content-Encoding: deflate header. SolarWinds advises blocking POST requests containing that header because the service does not require this functionality.

Stage 3: Resource Consumption Trigger

The malformed request path causes uncontrolled resource consumption in Serv-U. Public sources do not document code execution, data disclosure, or credential theft for this CVE.

Stage 4: Service Crash

Successful exploitation crashes the Serv-U service, creating a denial-of-service condition until the service is restored and the vulnerable path is patched or mitigated.

Detection Guidance

Network defenders should alert on POST requests to Serv-U infrastructure when the request includes a Content-Encoding header containing deflate. SolarWinds provides examples for common web access firewall and proxy platforms, including Azure Front Door WAF, AWS WAF, Cloudflare WAF, F5 BIG-IP, ModSecurity, NGINX, Apache, HAProxy, Imperva, Akamai, Fastly, and Envoy.

Service owners should correlate these requests with Serv-U service restarts, crashes, watchdog recovery events, or unexplained availability gaps. Because the public advisories describe an availability impact, operational telemetry may be the first visible sign when request logging is incomplete.

Patch verification should confirm that affected deployments have moved to Serv-U 15.5.4 Hotfix 1 or later. Where the update cannot be applied immediately, restrict access to known addresses where feasible and block the request pattern described by SolarWinds until the fixed release is installed.

Indicators of Compromise

Network Indicators

• HTTP POST requests to Serv-U endpoints with Content-Encoding: deflate.
• Repeated POST requests with compressed request headers followed by service unavailability.
• Requests to externally exposed Serv-U hosts shortly before service crash or restart events.

Host Indicators

• Serv-U service crash events without a planned restart or maintenance window.
• Unexpected restart, watchdog, or recovery events for the Serv-U service.
• Availability gaps on systems running Serv-U 15.5.4 or earlier.

Log Indicators

• Web access firewall, reverse proxy, or HTTP access logs containing POST requests with a content-encoding value that includes deflate.
• Deny events from temporary mitigation rules that block the Content-Encoding: deflate request pattern.

Disclosure Timeline

2026-06-03 — Vendor Advisory Published

SolarWinds first publishes the Trust Center advisory for CVE-2026-28318, listing Serv-U 15.5.4 and earlier as affected and Serv-U 15.5.4 Hotfix 1 as fixed software.

2026-06-04 — Hotfix Release Notes Published

SolarWinds publishes the Serv-U 15.5.4 Hotfix 1 release notes. The release notes say the hotfix provides bug fixes related to CVE-2026-28318 and advise customers who installed Serv-U 15.5.4 to install the hotfix.

2026-06-04 — NVD Entry Published

NVD publishes CVE-2026-28318 with the SolarWinds-provided CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, a base score of 7.5, and CWE-400.

2026-06-05 — CISA KEV Addition

CISA adds CVE-2026-28318 to the Known Exploited Vulnerabilities catalog, listing a June 19, 2026 due date and ransomware campaign use as unknown.

Sources & References

• CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-06-05
• National Vulnerability Database: CVE-2026-28318 Detail — National Vulnerability Database, 2026-06-05
• SolarWinds: CVE-2026-28318 Security Advisory — SolarWinds, 2026-06-03
• SolarWinds: Serv-U 15.5.4 Hotfix 1 Release Notes — SolarWinds, 2026-06-04