SolarWinds Serv-U CVE-2026-28318: KEV Denial of Service Vulnerability in Managed File Transfer

Suspected
Discovered Jun 5, 2026

CISA added SolarWinds Serv-U CVE-2026-28318 to KEV on 2026-06-05, indicating active exploitation. The high-severity vulnerability allows remote, unauthenticated attackers to cause a Denial of Service (DoS) by sending specially crafted HTTP POST requests with a Content-Encoding: deflate header. SolarWinds has released version 15.5.4 Hotfix 1 to address the flaw.

0
Affected Packages
6
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
solarwinds[.]com
hXXps://www[.]bleepingcomputer[.]com/news/security/cisa-warns-of-actively-exploited-solarwinds-serv-u-dos-flaw/
hXXps://www[.]solarwinds[.]com/trust-center/security-advisories/CVE-2026-28318
bleepingcomputer[.]com
hXXps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog

Analysis

Executive Summary

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on 2026-06-05, warning of active exploitation in the wild [cisa.gov opens in a new tab]. The vulnerability affects SolarWinds Serv-U managed file transfer software. It is an uncontrolled resource consumption flaw (CWE-400) that allows a remote, unauthenticated attacker to cause a Denial of Service (DoS) condition by crashing the Serv-U service [cisa.gov opens in a new tab] [solarwinds.com opens in a new tab].

The crash is triggered by sending a specially crafted HTTP POST request that includes the header Content-Encoding: deflate [solarwinds.com opens in a new tab] [bleepingcomputer.com opens in a new tab]. SolarWinds released Serv-U version 15.5.4 Hotfix 1 to remediate the vulnerability [solarwinds.com opens in a new tab]. Administrators are strongly advised to patch their servers immediately or apply temporary mitigations such as blocking POST requests containing the Content-Encoding header or restricting access to trusted IP addresses [solarwinds.com opens in a new tab].

Key Facts

Event Id: solarwinds-serv-u-cve-2026-28318-kev

Cve: CVE-2026-28318

Vendor: SolarWinds

Product: Serv-U

Kev Added: 2026-06-05

Kev Due: 2026-06-19

Cvss V3: 7.5

Cwe: CWE-400

Vulnerability: uncontrolled resource consumption / remote denial of service

Patched Version: 15.5.4 Hotfix 1

High Value Evidence:

  • Serv-U-StartupLog.txt (version check)
  • WAF/HTTP access logs (POST requests with Content-Encoding: deflate)
  • /var/log/syslog or Windows Event Log (Serv-U process crash/exit)

Evidence Assessment

  • confirmed: CISA added CVE-2026-28318 to KEV on June 5, 2026, confirming evidence of active exploitation [cisa.gov opens in a new tab].
  • confirmed: SolarWinds published a trust center security advisory for CVE-2026-28318 detailing the Content-Encoding: deflate vector and releasing version 15.5.4 Hotfix 1 as the minimum patched build [solarwinds.com opens in a new tab].
  • confirmed: Industry advisories and analysis reports (e.g. BleepingComputer) verified the DoS behavior and provided recommended mitigations [bleepingcomputer.com opens in a new tab].
  • unknown: Public sources do not identify specific threat actor groups, campaign names, victim counts, or complete packet-level exploit payloads beyond the header manipulation.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseSystem logs show frequent Serv-U crashes correlated with incoming POST requests containing Content-Encoding: deflate, or post-crash forensic review indicates active system tampering.HTTP access/WAF logs, Serv-U process crash event IDs (e.g. Event ID 1000 on Windows or syslog segfaults on Linux), and file access logs.Isolate the system, preserve log and registry evidence, perform memory forensics, and rotate all administrative and MFT user credentials.
Presumed exposedServ-U server is exposed to the internet and is running a version prior to 15.5.4 Hotfix 1.Serv-U version extracted from Serv-U-StartupLog.txt, binary properties, or Windows Registry.Apply Serv-U 15.5.4 Hotfix 1 immediately or implement temporary blocking mitigations at the WAF level.
Potentially exposedServ-U is present in the network asset inventory, but its version, patch level, and external exposure status are not yet verified.CMDB assets, internal scanner logs, port scans.Verify version and external exposure paths.
Not exposedServ-U is not deployed, or it is verified to be running version 15.5.4 Hotfix 1 or later with negative findings in crash and access logs.Version status report, system uptime checks, and log audits.Document version status, archive evidence, and continue routine monitoring.

Timeline

Technical Analysis

The vulnerability is rooted in how Serv-U processes compression headers in incoming HTTP requests. When an unauthenticated remote client sends an HTTP POST request containing Content-Encoding: deflate, the application attempts to decompress the payload. Due to improper resource limitation, this decompression process triggers uncontrolled CPU and memory consumption. As a result, the server runs out of memory or hangs, crashing the Serv-U service and causing a Denial of Service (DoS) for all connected file transfer users. [1]

While DoS vulnerabilities are often deprioritized, file transfer systems like Serv-U represent a high-value entry point. Threat actors often leverage DoS attacks to disrupt operations, mask other malicious activities, or force services to reboot in vulnerable states to hijack configurations or access files. [1]

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Remediation and Closure

To secure your environment, apply the following steps:

  1. Upgrade Immediately: Apply the security update to Serv-U version 15.5.4 Hotfix 1 or newer.
  2. WAF Mitigations: If patching is delayed, configure WAF rules or reverse proxies to inspect HTTP POST requests. Drop any incoming POST requests containing the Content-Encoding: deflate header.
  3. Access Control: Limit exposure by restricting access to the Serv-U HTTP/S portal to known, trusted source IP addresses.
  4. Credential Integrity: After patching, check system logs for prior crash patterns. If exploitation is suspected, rotate all Serv-U administrator passwords, user passwords, and audit the integrity of the configuration files (Serv-U.Archive).

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 5, 2026DisclosureDisclosure recorded for SolarWinds Serv-U CVE-2026-28318: KEV Denial of Service Vulnerability in Managed File Transfer.solarwinds.com
Jun 5, 2026DiscoveryDiscovery recorded for SolarWinds Serv-U CVE-2026-28318: KEV Denial of Service Vulnerability in Managed File Transfer.solarwinds.com
Jun 5, 2026First seenFirst seen recorded for SolarWinds Serv-U CVE-2026-28318: KEV Denial of Service Vulnerability in Managed File Transfer.solarwinds.com
Jun 5, 2026SolarWinds Serv-U CVE-2026-28318: KEV Denial of Service Vulnerability in Managed File TransferUnknownsolarwinds.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

6 IOCs
domainsolarwinds.com
urlhttps://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-solarwinds-serv-u-dos-flaw/
urlhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28318
domainbleepingcomputer.com
urlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog
domaincisa.gov

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with SolarWinds Serv-U CVE-2026-28318: KEV Denial of Service Vulnerability in Managed File Transfer?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabsolarwinds.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with SolarWinds Serv-U CVE-2026-28318: KEV Denial of Service Vulnerability in Managed File Transfer?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-solarwinds-serv-u-cve-2026-28318-kev-scope"))

DOMAINS = ["cisa.gov","solarwinds.com","bleepingcomputer.com"]
URLS = ["https://www.cisa.gov/known-exploited-vulnerabilities-catalog","https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28318","https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-solarwinds-serv-u-dos-flaw/"]

# Collect unique indicators
indicators = set()
for group in [DOMAINS, URLS]:
    for val in group:
        if val:
            indicators.add(val)

            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if "PACKAGES" in globals() and PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
solarwinds.comSecurity Researcher95%1CISA added SolarWinds Serv-U CVE-2026-28318 to KEV on 2026-06-05, indicating active exploitation. The high-severity vulnerability allows remote, unauthenticated attackers to cause a Denial of Service (DoS) by sending specially crafted HTTP POST requests with a Content-Encoding: deflate header. SolarWinds has released version 15.5.4 Hotfix 1 to address the flaw.
cisa.govSecurity Researcher95%1CISA added SolarWinds Serv-U CVE-2026-28318 to KEV on 2026-06-05, indicating active exploitation. The high-severity vulnerability allows remote, unauthenticated attackers to cause a Denial of Service (DoS) by sending specially crafted HTTP POST requests with a Content-Encoding: deflate header. SolarWinds has released version 15.5.4 Hotfix 1 to address the flaw.
bleepingcomputer.comSecurity Researcher95%1CISA added SolarWinds Serv-U CVE-2026-28318 to KEV on 2026-06-05, indicating active exploitation. The high-severity vulnerability allows remote, unauthenticated attackers to cause a Denial of Service (DoS) by sending specially crafted HTTP POST requests with a Content-Encoding: deflate header. SolarWinds has released version 15.5.4 Hotfix 1 to address the flaw.