CVE-2026-28318 — SolarWinds Serv-U DoS added to CISA KEV

CVE-2026-28318 — SolarWinds Serv-U DoS added to CISA KEV

No Comments

CVE: CVE-2026-28318
CVSS Score: 7.5 (High)
CWE: CWE-400 — Uncontrolled Resource Consumption
KEV Added: June 5, 2026
FCEB Remediation Deadline: June 19, 2026

Vulnerability Overview

The vulnerability is classified as an uncontrolled resource consumption (CWE-400) issue in SolarWinds Serv-U, a widely used file transfer software for Windows and Linux. It allows unauthenticated attackers to remotely crash Serv-U servers by sending a maliciously crafted HTTP POST request with a Content-Encoding: deflate header.

SolarWinds described it in their advisory as: “SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate.”

Why It Matters

The vulnerability description sounds deceptively modest — but that is precisely why it matters. Availability bugs in internet-facing transfer services are useful to attackers because disruption, distraction, and foothold-hunting often arrive together.

Unlike many DoS bugs, uncontrolled resource consumption often requires only minimal bandwidth from the attacker, making it ideal for botnet-powered or distributed attacks. If Serv-U is exposed to the internet — common for FTP/S data transfer — a single malicious machine can render the service unavailable to all legitimate users, blocking file transfers, automated integrations, and backups.

Affected Products & Fix

The flaw affects SolarWinds Serv-U 15.5.4 and earlier. Serv-U 15.5.4 HF1 addresses the issue.

Interim mitigations recommended by SolarWinds:
Limit access to the Serv-U service and block requests containing the content-encoding header at the network/WAF layer.

CISA KEV Context & Federal Mandate

CISA added CVE-2026-28318 to the KEV catalog on June 5, 2026, setting a remediation deadline of June 19, 2026 for all Federal Civilian Executive Branch (FCEB) agencies. Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to remediate KEV-listed vulnerabilities within the specified timeframe.

Experts also recommend that private organizations review the KEV catalog and address the vulnerability in their infrastructure.

Detection & Response Pointers

  • Monitor for anomalous HTTP POST requests with Content-Encoding: deflate headers targeting Serv-U listener ports
  • Check for unexpected Serv-U service crashes or restart events in Windows Event Logs / syslog
  • Prioritize internet-exposed Serv-U instances — MFT, FTP, FTPS, SFTP, and HTTP/HTTPS endpoints all fall under scope
  • Apply 15.5.4 HF1 immediately; do not wait for scheduled maintenance windows given active exploitation
Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.