CVE-2026-28318: SolarWinds Serv-U Uncontrolled Resource Consumption (DoS)

Executive Summary

SolarWinds Serv-U is affected by an uncontrolled resource consumption vulnerability (CVE-2026-28318) that allows an unauthenticated remote attacker to crash the Serv-U service by sending a specially crafted HTTP POST request using the Content-Encoding: deflate header. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

Organizations running SolarWinds Serv-U for managed file transfer should apply vendor patches immediately and review network logs for exploitation indicators.

Vulnerability Overview

Technical Details

The flaw resides in Serv-U's handling of HTTP POST requests that use Content-Encoding: deflate. When a specially crafted request is received, the server attempts to decompress the body but fails to enforce resource limits, causing uncontrolled memory or CPU consumption that crashes the Serv-U process.

Attack characteristics:

POST /ServU-endpoint HTTP/1.1
Host: target.example.com
Content-Encoding: deflate
Content-Type: application/octet-stream
Content-Length: <crafted_value>
 
[malformed deflate payload]

• No authentication is required to trigger the crash
• The crash takes down the Serv-U service, disrupting file transfer operations
• Service restart restores availability but does not protect against repeat attacks

Impact

Affected Products

SolarWinds has confirmed the vulnerability in Serv-U. Consult the SolarWinds security advisory for the precise list of affected versions and the fixed build number.

Remediation

Step 1: Apply Vendor Patch

Visit the SolarWinds security advisory and upgrade Serv-U to the patched version. Federal agencies must comply with the CISA KEV remediation deadline.

Step 2: Network-Level Mitigation (Until Patch Applied)

# Block external access to Serv-U HTTP/HTTPS ports at the perimeter firewall
# Allow only known, trusted source IPs to reach Serv-U
 
# Example iptables rule to restrict access
iptables -A INPUT -p tcp --dport 443 -s <trusted_range> -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Step 3: Enable Process Monitoring and Auto-Restart

Configure your monitoring stack to detect Serv-U crashes and alert immediately:

# PowerShell — monitor Serv-U service and restart on crash
$service = "Serv-U"
while ($true) {
    $status = (Get-Service -Name $service).Status
    if ($status -ne 'Running') {
        Write-EventLog -LogName Application -Source "MonitorScript" `
            -EventId 9001 -Message "Serv-U crashed — restarting" -EntryType Warning
        Start-Service -Name $service
    }
    Start-Sleep -Seconds 30
}

Step 4: Review Access Logs for Exploitation Attempts

# Search Serv-U HTTP logs for suspicious deflate-encoded POST requests
grep -i "content-encoding: deflate" /var/log/servu/access.log
grep -i "POST" /var/log/servu/access.log | grep -v "authenticated"

Detection Indicators

CISA KEV Listing

This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog. Federal civilian executive branch (FCEB) agencies are required to remediate this vulnerability by the published deadline. All organizations should treat KEV-listed vulnerabilities as high-priority patching obligations.

References

• NIST NVD — CVE-2026-28318
• CISA KEV Catalog
• SolarWinds Security Advisory (consult vendor portal for latest)

Related Reading

• CVE-2024-27890: Arista EOS gNMI Auth Bypass (CVSS 9.6)
• CVE-2024-27892: Arista EOS OpenConfig gNMI Set Bypass (CVSS 9.6)