CVE-2026-28318

SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability

CVSS 7.5 HIGHEPSS 10.7%● KEVCWE-400

In short

SolarWinds Serv-U can be crashed by anyone sending specially crafted requests without logging in. This disrupts the file transfer service for all users until it restarts.

Technical detail

Unauthenticated attackers can exploit improper input handling in POST request processing with Content-Encoding: deflate to trigger a denial of service condition, crashing the Serv-U service without requiring credentials or prior access.

Summary generated and translated by AI from the official description.

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

SolarWinds · Serv-U

public PoCs found — 3

githubgithub.com/EaEa0001/servu-cve-2026-28318-poc★ 1 githubgithub.com/BishopFox/CVE-2026-28318-check★ 1 githubgithub.com/jenniferreire26/CVE-2026-28318★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4-hotfix-1_release_notes.htm https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-28318 https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28318