How is CVE-2026-28318 exploited?

Network reachability (required): The attacker must reach the Serv-U HTTP service over the network; no local or physical access is required, making any internet- or intranet-exposed instance a target. Authentication (not-required): No credentials of any kind are needed; the malformed POST request can be sent by any unauthenticated client. Victim interaction (not-required): No user action or social engineering is required; the attacker sends the crafted request directly to the service. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-28318?

Crashes the Serv-U service process, taking file-transfer operations (FTP, SFTP, FTPS, HTTP/S) fully offline until the service is manually restarted. Denies access to all users and automated jobs relying on Serv-U for managed file transfer during the outage window. Repeated requests allow an attacker to sustain the denial-of-service condition indefinitely with minimal effort or tooling.

Back to search

HIGHCVE-2026-28318Published 2026-06-04Modified 2026-06-04CNA SolarWinds

CVE-2026-28318: SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated denial-of-service vulnerability affects SolarWinds Serv-U versions 15.5.4 and earlier. A remote attacker with no credentials can send a specially crafted HTTP POST request using Content-Encoding: deflate to crash the Serv-U service entirely. Successful exploitation disrupts file-transfer availability for all users of the affected instance. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-28318 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Serv-U or its dependencies. Scans run against both registry snapshots and active pipeline builds so newly pushed images are covered without additional configuration.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules, so the right engineers see the alert without manual triage.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment SolarWinds ships a remediated release. In the interim, HarborGuard surfaces the SolarWinds Trust Center mitigation guidance alongside the finding so teams can apply compensating controls while awaiting a patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Serv-U HTTP service over the network; no local or physical access is required, making any internet- or intranet-exposed instance a target.
AuthenticationNot required
No credentials of any kind are needed; the malformed POST request can be sent by any unauthenticated client.
Victim interactionNot required
No user action or social engineering is required; the attacker sends the crafted request directly to the service.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites.

Blast Radius

Crashes the Serv-U service process, taking file-transfer operations (FTP, SFTP, FTPS, HTTP/S) fully offline until the service is manually restarted.
Denies access to all users and automated jobs relying on Serv-U for managed file transfer during the outage window.
Repeated requests allow an attacker to sustain the denial-of-service condition indefinitely with minimal effort or tooling.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged on any image found to contain SolarWinds Serv-U 15.5.4 or earlier, with a CVSS 7.5 HIGH severity label and routing to the team inbox configured for the affected workload. Because SolarWinds has not yet published a fix version, no automated patched-image rebuild is available at this time. HarborGuard re-checks the advisory on every ingest cycle and will trigger the rebuild-and-PR flow for customers with auto-remediation enabled the moment an upstream fix is released. While awaiting a patch, HarborGuard surfaces the SolarWinds Trust Center mitigation guidance directly on the finding card; recommended compensating controls include network-policy rules that restrict POST access to Serv-U endpoints to known IP ranges, egress filtering to limit lateral reachability of the service, and feature-flag or load-balancer gating to disable Content-Encoding: deflate processing at the perimeter if the upstream application layer supports it.

See how HarborGuard automates this

Affected packages

SolarWinds / Serv-U
15.5.4 and previous versions

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified