VULNERABILITY OVERVIEW
An uncontrolled resource consumption flaw (CWE-400) in SolarWinds Serv-U allows an unauthenticated remote attacker to crash the file-transfer service by sending a specially crafted HTTP POST request using the Content-Encoding: deflate header, exhausting system resources during decompression. The crash can be triggered repeatedly without credentials, causing persistent denial of service against FTP/SFTP/HTTP file transfer operations. CISA added to KEV on June 5, 2026, with a federal remediation deadline of June 19, 2026; fixed in Serv-U 15.5.4 Hotfix 1.
CVSS BREAKDOWN
β
Attack Vector
NETWORK
β³
Attack Complexity
LOW
β·
Privs Required
NONE
β
User Interaction
NONE
β
Scope / Impact
UNCHANGED
C:N Β· I:N Β· A:H
AFFECTED VERSIONS
All Serv-U versions prior to 15.5.4; Serv-U 15.5.4 without Hotfix 1 appliedCITATIONS
- β https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318
- β https://www.helpnetsecurity.com/2026/06/08/cisa-patch-actively-exploited-solarwinds-serv-u-dos-vulnerability-cve-2026-28318/
- β https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html
- β https://www.cisa.gov/known-exploited-vulnerabilities-catalog