Full Report
CISA warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers. [...]
Analysis Summary
# Vulnerability: SolarWinds Serv-U Uncontrolled Resource Consumption (DoS)
## CVE Details
- **CVE ID:** CVE-2026-28318
- **CVSS Score:** High (Specific numerical score not provided in text, but categorized as High-severity)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** SolarWinds Serv-U (Managed File Transfer and FTP Server)
- **Versions:** Versions prior to 15.5.4 Hotfix 1
- **Configurations:** Systems exposed to the internet (Approx. 3,100 to 12,000 instances depending on scanning source)
## Vulnerability Description
The vulnerability stems from the improper handling of specially crafted `POST` requests. Specifically, when a request utilizes `Content-Encoding: deflate`, the Serv-U service fails to manage resource consumption correctly. This allow an attacker to crash the service, resulting in a persistent Denial-of-Service (DoS) state.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Authentication:** Not required (Unauthenticated)
- **User Interaction:** None
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The exploit results in a complete crash of the Serv-U service)
## Remediation
### Patches
- **SolarWinds Serv-U 15.5.4 Hotfix 1:** Users are urged to upgrade to this version immediately to resolve the flaw.
### Workarounds
- **Inbound Filtering:** Limit access to the Serv-U interface to known, trusted IP addresses only.
- **Request Blocking:** Block any incoming `POST` requests that contain the `content-encoding` header, as this functionality is not required for the standard operation of the vulnerable service.
## Detection
- **Indicators of Compromise:**
- Frequent, unexplained crashes of the Serv-U service.
- Presence of `POST` requests in web server/application logs containing `Content-Encoding: deflate`.
- **Detection methods and tools:**
- Monitor service availability via uptime tracking.
- Use SIEM/WAF rules to alert on the specific header string mentioned in the workaround.
- Federal agencies must check compliance against CISA's KEV Catalog requirements by June 19, 2026.
## References
- **Vendor Advisory:** hxxps[://]www[.]solarwinds[.]com/trust-center/security-advisories/cve-2026-28318
- **Release Notes:** hxxps[://]documentation[.]solarwinds[.]com/en/success_center/servu/content/release_notes/servu_15-5-4-hotfix-1_release_notes[.]htm
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **BleepingComputer Article:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/cisa-hackers-now-exploit-solarwinds-serv-u-flaw-to-crash-servers/