CVE-2026-28318

What is SolarWinds Serv-U?

SolarWinds Serv-U is a managed file transfer (MFT) server supporting FTP, FTPS, SFTP, SCP, HTTP, and HTTPS, widely deployed in government agencies, healthcare organizations, and regulated industries for secure file exchange. Serv-U servers are frequently internet-facing to allow external partner and customer file transfers, making them a high-value target. SolarWinds products have historically attracted significant attacker interest — Serv-U has been targeted by Chinese APT DEV-0322 and Clop ransomware in prior zero-day campaigns — and any Serv-U vulnerability with unauthenticated attack vectors receives elevated scrutiny from threat actors.

Overview

CVE-2026-28318 is an unauthenticated denial-of-service vulnerability in SolarWinds Serv-U. A specially crafted HTTP POST request with a Content-Encoding: deflate header triggers uncontrolled resource consumption in the Serv-U service process, causing it to crash without any authentication. The attack is trivially repeatable — an attacker can sustain a denial of service by continuously crashing the service. SolarWinds released a hotfix (Serv-U 15.5.4 Hotfix 1) and CISA added the vulnerability to the KEV catalog on June 5, 2026, confirming active exploitation.

Affected Versions

The hotfix replaces core executable and DLL files on both Windows and Linux platforms. SolarWinds recommends backing up existing executables before installation.

Technical Details

Serv-U's HTTP/HTTPS listener fails to safely handle the Content-Encoding: deflate header in POST requests (CWE-400: uncontrolled resource consumption). When a POST request is received with this header, Serv-U attempts to decompress the request body using deflate decompression. A crafted payload — either malformed deflate data, a decompression bomb, or a specific edge case in the decompression error handling — causes the Serv-U process to consume unbounded resources or fail without graceful error recovery, crashing the service.

Content-Encoding: deflate is not used by Serv-U in any legitimate operation — it is an entirely unexpected input path that was not subjected to robust error handling. Serv-U does not use deflate-encoded request bodies for FTP/SFTP operations, file transfers, or its management interface, making a request containing this header trivially identifiable as anomalous.

Attack characteristics:

• Attack vector: Network (no prior access or credentials required)
• Authentication required: None
• Complexity: Low — single crafted POST request crashes the service
• Repeatability: Trivial — attacker can sustain denial of service by repeating the request
• Impact: Full availability loss of the Serv-U service (file transfers, FTP/SFTP, HTTPS management all unavailable during downtime)

Discovery

No external researcher was publicly credited in SolarWinds' advisory at time of publication. The hotfix was released June 5, 2026, the same day CISA confirmed active exploitation.

Exploitation Context

CISA added CVE-2026-28318 to the KEV catalog on June 5, 2026, confirming active exploitation in the wild. No specific threat actor has been attributed, though SolarWinds and Serv-U have historically been targeted by Clop ransomware (CVE-2021-35211, CVE-2024-28995) and Chinese APT DEV-0322 (CVE-2021-35211). Exploitation is likely used to disable Serv-U as a disruption tactic or as a precursor to further intrusion during a service restart window.

Exposure scale:

• Shodan: approximately 12,000 internet-exposed Serv-U servers
• Shadowserver: approximately 3,100 identified — patch status of these instances unknown

Remediation

1. Apply Serv-U 15.5.4 Hotfix 1 immediately. Back up existing executable and DLL files before installation per SolarWinds' guidance, then apply the hotfix on both Windows and Linux deployments.
2. CISA deadline: June 19, 2026 for federal agencies under BOD 22-01.
3. Temporary workaround if immediate patching is not possible: configure a WAF, reverse proxy, or network appliance to block any POST request containing a Content-Encoding: deflate header destined for Serv-U. SolarWinds confirmed this is an effective interim mitigation since Serv-U has no legitimate use for this header.
4. Restrict access to Serv-U HTTP/HTTPS ports to known partner IP ranges where operationally feasible, reducing the attack surface while the hotfix is deployed.
5. Monitor for repeated Serv-U service crashes or restarts as an indicator of active exploitation attempts.
6. Check historical logs for unexpected POST requests with Content-Encoding: deflate to determine whether exploitation occurred before the hotfix was applied.