CVE: CVE-2026-28318
CVSS Score: 7.5 (High)
CWE: CWE-400 — Uncontrolled Resource Consumption
KEV Added: June 5, 2026
FCEB Remediation Deadline: June 19, 2026
Vulnerability Overview
The vulnerability is classified as an uncontrolled resource consumption (CWE-400) issue in SolarWinds Serv-U, a widely used file transfer software for Windows and Linux. It allows unauthenticated attackers to remotely crash Serv-U servers by sending a maliciously crafted HTTP POST request with a Content-Encoding: deflate header.
SolarWinds described it in their advisory as: “SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate.”
Why It Matters
The vulnerability description sounds deceptively modest — but that is precisely why it matters. Availability bugs in internet-facing transfer services are useful to attackers because disruption, distraction, and foothold-hunting often arrive together.
Unlike many DoS bugs, uncontrolled resource consumption often requires only minimal bandwidth from the attacker, making it ideal for botnet-powered or distributed attacks. If Serv-U is exposed to the internet — common for FTP/S data transfer — a single malicious machine can render the service unavailable to all legitimate users, blocking file transfers, automated integrations, and backups.
Affected Products & Fix
The flaw affects SolarWinds Serv-U 15.5.4 and earlier. Serv-U 15.5.4 HF1 addresses the issue.
Interim mitigations recommended by SolarWinds:
Limit access to the Serv-U service and block requests containing the content-encoding header at the network/WAF layer.
CISA KEV Context & Federal Mandate
CISA added CVE-2026-28318 to the KEV catalog on June 5, 2026, setting a remediation deadline of June 19, 2026 for all Federal Civilian Executive Branch (FCEB) agencies. Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to remediate KEV-listed vulnerabilities within the specified timeframe.
Experts also recommend that private organizations review the KEV catalog and address the vulnerability in their infrastructure.
Detection & Response Pointers
- Monitor for anomalous HTTP POST requests with
Content-Encoding: deflateheaders targeting Serv-U listener ports - Check for unexpected Serv-U service crashes or restart events in Windows Event Logs / syslog
- Prioritize internet-exposed Serv-U instances — MFT, FTP, FTPS, SFTP, and HTTP/HTTPS endpoints all fall under scope
- Apply 15.5.4 HF1 immediately; do not wait for scheduled maintenance windows given active exploitation
