Executive Summary
CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog on June 5, 2026, confirming active in-the-wild exploitation of a high-severity denial-of-service flaw in SolarWinds Serv-U managed file transfer software. An unauthenticated remote attacker can crash the Serv-U service with a single specially crafted HTTP POST request containing a Content-Encoding: deflate header, requiring zero privileges and zero user interaction. With over 12,000 Serv-U servers currently exposed on the internet and SolarWinds' history as a prime ransomware target, organizations running Serv-U must patch to version 15.5.4 Hotfix 1 immediately — federal agencies face a hard CISA deadline of June 19, 2026.
1. What Is This Vulnerability?
CVE-2026-28318 is an uncontrolled resource consumption vulnerability (CWE-400) in SolarWinds Serv-U's HTTP request handling layer. When Serv-U receives a POST request with the Content-Encoding: deflate header, it attempts to decompress the body without enforcing adequate resource limits. This causes the server process to exhaust memory or CPU until it crashes — a classic "decompression bomb" pattern applied to the HTTP content-encoding pipeline.
The vulnerability is notable for what it lacks: it requires no authentication, no existing session, no valid credentials, and no cooperation from a logged-in user. Any network-reachable Serv-U instance is exposed by default.
Attack Vector
The attack is trivially simple. A single crafted request is sufficient:
POST /Web%20Client/Login.htm HTTP/1.1
Host: <target-servu-server>
Content-Encoding: deflate
Content-Length: <large_value>
<malformed or oversized deflate-encoded payload>
The Serv-U service attempts to inflate the body, consuming unbounded memory in the process. Depending on system resources and payload size, the crash occurs within seconds to minutes. Because the service runs as a Windows service or Linux daemon, crashing it halts all file transfer operations — FTP, FTPS, SFTP, HTTP/HTTPS — until the service is manually or automatically restarted.
An attacker can sustain the DoS by repeatedly sending the crafted request, preventing recovery between restarts.
Real-World Impact
CISA's KEV addition confirms threat actors are actively exploiting this flaw in the wild as of June 5, 2026. While specific attribution has not been publicly disclosed, Serv-U has been a repeated target of high-profile threat actors:
- 2021 (CVE-2021-35211): The Clop ransomware gang exploited a Serv-U RCE vulnerability to breach corporate networks. DEV-0322, a Chinese APT group, simultaneously exploited the same zero-day in targeted espionage campaigns.
- 2024 (CVE-2024-28995): A path-traversal flaw was weaponized within days of disclosure, with GreyNoise and Rapid7 documenting mass exploitation.
CVE-2026-28318 follows this pattern — weaponized rapidly after patch release, likely as an availability attack or as a precursor to follow-on exploitation once defenders' attention is divided.
2. Who Is Affected?
All SolarWinds Serv-U installations prior to version 15.5.4 Hotfix 1 are vulnerable on both Windows and Linux. This includes:
- SolarWinds Serv-U Managed File Transfer (MFT) Server
- SolarWinds Serv-U FTP Server
- Any deployment exposing Serv-U's HTTP/HTTPS interface (port 80/443 by default) to untrusted networks
Exposure scale: Shodan currently tracks over 12,000 Serv-U servers with internet-facing interfaces. Shadowserver independently identifies approximately 3,100 exposed instances, though the discrepancy likely reflects differing detection methodologies rather than the true exposure count.
Not affected: Serv-U 15.5.4 HF1 and later. Organizations that have already applied this hotfix are not vulnerable.
3. How to Detect It (Testing)
Manual Testing Steps
Warning: Only perform these tests against systems you own or have explicit written authorization to test. Sending this request to a production server will crash it.
Step 1: Identify exposed Serv-U instances
Use Shodan or your asset inventory to locate Serv-U servers. The Shodan query "Serv-U FTP Server" returns internet-facing instances. Internally, check for hosts running the Serv-U Windows service (SolarWinds Serv-U) or Linux daemon.
Step 2: Check version before testing
Connect to the Serv-U web interface (typically https://<host>/Web%20Client/) and inspect the server response headers or login page footer for the version string. If it shows 15.5.4 HF1 or later, the system is patched.
Step 3: Confirm vulnerability (non-destructive check)
Review Serv-U logs for prior crash events tied to unusual Content-Encoding headers:
# Windows — Serv-U log path (default):
C:\ProgramData\RhinoSoft\Serv-U\Serv-U.log
# Linux:
/var/log/Serv-U/Serv-U.log
Search for log entries with HTTP 500 errors or abrupt service termination timestamps that correlate with incoming POST requests.
Automated Scanning
Nuclei template check (version-based):
# Install Nuclei if not present:
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Run against target (version fingerprint only — non-destructive):
nuclei -u https://<target> -t technologies/serv-u-detect.yaml -silent
Check the detected version against the patched threshold (15.5.4 HF1+).
Nmap version detection:
nmap -sV -p 21,22,80,443,9999 <target-ip>
# Look for "Serv-U" in service banner output
Internal asset audit (PowerShell — Windows):
# Find all Serv-U installations and their versions across your network
Get-WmiObject -Class Win32_Product -Filter "Name LIKE 'Serv-U%'" |
Select-Object Name, Version, InstallDate |
Export-Csv servu-inventory.csv -NoTypeInformation
Code Review Checklist
For organizations running Serv-U behind a reverse proxy or WAF:
- Confirm WAF rules exist to block or inspect POST requests with
Content-Encoding: deflateto Serv-U endpoints - Verify IP allowlists are enforced at the firewall level for Serv-U HTTP/HTTPS ports
- Confirm Serv-U is not directly internet-exposed without an intermediate proxy layer
- Verify service restart monitoring and alerting is configured (unexpected Serv-U process termination should page on-call)
4. How to Fix It (Mitigation)
Step-by-Step Remediation
Primary fix: Apply the patch
- Download Serv-U 15.5.4 Hotfix 1 from the SolarWinds Customer Portal:
https://customerportal.solarwinds.com/ - Back up the current Serv-U configuration directory before applying:
# Windows default: C:\ProgramData\RhinoSoft\Serv-U\ # Back up to safe location: xcopy /E /I "C:\ProgramData\RhinoSoft\Serv-U" "D:\Backup\Serv-U-backup-%date%" - Stop the Serv-U service:
net stop "Serv-U" - Run the Hotfix 1 installer and follow the prompts.
- Start the service:
net start "Serv-U" - Verify the updated version in the Serv-U management console under Help > About.
Interim Mitigations (If Immediate Patching Is Not Possible)
SolarWinds has published two interim controls that significantly reduce exposure without requiring the hotfix:
Mitigation 1: Restrict access to known IP addresses
In the Serv-U management console, navigate to Domains > Listeners and configure IP access rules to allow connections only from known, trusted IP ranges. Deny all others by default.
Mitigation 2: Block POST requests containing content-encoding at the network perimeter
Since the vulnerable Serv-U service does not use Content-Encoding for any legitimate functionality, this header can be safely blocked without impacting normal operations.
Example WAF/firewall rule (NGINX upstream proxy):
# Block requests with Content-Encoding header destined for Serv-U
location / {
if ($http_content_encoding) {
return 403 "Content-Encoding not permitted";
}
proxy_pass http://servu-backend;
}
Example iptables rule (Linux perimeter):
# Drop POST packets to Serv-U HTTP port from unauthenticated sources
# (Layer 7 filtering requires an application-aware proxy for full efficacy)
# Pair with IP allowlist for defense-in-depth
iptables -I INPUT -p tcp --dport 443 -m string \
--string "content-encoding" --algo bm -j DROP
Note: String-matching rules at the iptables level are a best-effort control and should be paired with IP allowlisting for meaningful protection.
5. How to Test the Fix (Validation)
Regression Test Scenarios
Scenario A: Confirm service is running updated version
After applying HF1, verify the version string in the management console and via the HTTP banner:
curl -sk https://<target>/Web%20Client/ | grep -i "serv-u\|version"
Expected: Version 15.5.4 HF1 or later.
Scenario B: Confirm normal file transfer functionality is intact
Test FTP, SFTP, and HTTPS file transfers using a test account to confirm the hotfix did not break legitimate operations.
Scenario C: Confirm mitigation rules are enforced (if patch not yet applied)
Send a test POST with Content-Encoding: deflate from an external test host and confirm the request is rejected at the WAF or perimeter without reaching Serv-U:
curl -sk -X POST https://<target>/Web%20Client/Login.htm \
-H "Content-Encoding: deflate" \
-d "test=1"
# Expected: 403 Forbidden (from WAF), NOT a crash
Security Test Cases
Test Case 1: Verify CVE-2026-28318 is no longer exploitable
- Precondition: Serv-U 15.5.4 HF1 applied to a non-production test instance
- Steps: Send a POST request with
Content-Encoding: deflateand a large/malformed payload to the Serv-U web interface - Expected result: Request is rejected with an HTTP error code (400 or 500); service remains running and responsive to subsequent legitimate requests
- Pass criteria: No service crash; Serv-U continues serving FTP/SFTP/HTTPS sessions normally
Test Case 2: Verify WAF blocks the attack vector
- Precondition: WAF rule blocking
Content-Encodingheader is active - Steps: Send the crafted POST request from an external test host
- Expected result: WAF returns 403; request never reaches Serv-U backend
- Pass criteria: Serv-U logs show no record of the request; WAF logs record the block event
Automated Post-Patch Health Check
#!/bin/bash
# servu-health-check.sh — run after patching to confirm service stability
HOST="https://your-servu-server"
PASS=0
echo "[1] Checking Serv-U web interface availability..."
HTTP_CODE=$(curl -sk -o /dev/null -w "%{http_code}" "$HOST/Web%20Client/")
if [ "$HTTP_CODE" = "200" ]; then
echo " PASS: Web interface reachable (HTTP $HTTP_CODE)"
PASS=$((PASS+1))
else
echo " FAIL: Web interface returned HTTP $HTTP_CODE"
fi
echo "[2] Checking Content-Encoding rejection..."
BLOCK_CODE=$(curl -sk -o /dev/null -w "%{http_code}" -X POST \
-H "Content-Encoding: deflate" -d "test=1" \
"$HOST/Web%20Client/Login.htm")
if [ "$BLOCK_CODE" != "200" ] && [ "$BLOCK_CODE" != "000" ]; then
echo " PASS: Content-Encoding POST rejected (HTTP $BLOCK_CODE)"
PASS=$((PASS+1))
else
echo " WARN: Content-Encoding POST not explicitly blocked — verify WAF rules"
fi
echo ""
echo "Health check complete. $PASS/2 checks passed."
6. Prevention & Hardening
Best Practices
Minimize internet exposure. Serv-U should never be directly internet-accessible without a hardened reverse proxy or application delivery controller in front of it. Place Serv-U behind a WAF that terminates TLS, inspects HTTP headers, and enforces request rate limits.
Apply patches within 24–72 hours of release. SolarWinds has an established pattern of Serv-U vulnerabilities being weaponized days after disclosure. A patch SLA of 30 days is not adequate for this product — treat Serv-U patches as emergency-priority updates.
Enforce IP allowlisting. File transfer servers rarely need to accept connections from arbitrary internet sources. Maintain an allowlist of known client IP addresses or CIDR ranges and deny all others at the firewall level.
Monitor for unexpected service restarts. Configure your monitoring stack to alert on Serv-U process termination. In Windows environments, Event ID 7034 (service terminated unexpectedly) in the System event log is a reliable indicator of a crash-based DoS attack in progress.
Segment Serv-U from critical infrastructure. Serv-U servers should be network-isolated from internal domain controllers, databases, and other sensitive systems. Historical ransomware campaigns (Clop, 2021) used Serv-U as an initial foothold before pivoting internally.
Monitoring & Detection
Log sources to monitor:
- Serv-U application logs: Watch for bursts of HTTP 500 errors or abrupt truncation of log entries (indicating crash)
- Windows Event Log: System channel, Event ID 7034 (SolarWinds Serv-U service terminated unexpectedly)
- WAF/proxy access logs: Anomalous POST requests to Serv-U endpoints, especially with
Content-Encodingheaders - Network flow data: High-volume POST traffic to Serv-U ports from a single source — a potential sustained DoS attempt
SIEM detection rule (pseudo-code):
RULE: SolarWinds Serv-U DoS Attempt (CVE-2026-28318)
SOURCE: WAF logs OR web access logs
CONDITION:
http.method == "POST"
AND http.uri CONTAINS "/Web%20Client/"
AND http.headers CONTAINS "content-encoding"
AND destination.port IN (80, 443, 9999)
THRESHOLD: 1 occurrence
SEVERITY: High
ACTION: Alert SOC, block source IP, initiate incident ticket
SIEM detection rule (Serv-U crash indicator):
RULE: SolarWinds Serv-U Service Crash (Active DoS)
SOURCE: Windows Event Log
CONDITION:
EventID == 7034
AND ServiceName CONTAINS "Serv-U"
THRESHOLD: 1 occurrence in 5 minutes
SEVERITY: Critical
ACTION: Page on-call, initiate IR runbook
References
- CVE Entry: NVD CVE-2026-28318
- SolarWinds Advisory: SolarWinds Trust Center — CVE-2026-28318
- Patch Download: SolarWinds Serv-U 15.5.4 HF1 Release Notes
- CISA KEV Addition: CISA Alert — June 5, 2026
- CISA KEV Catalog Entry: Known Exploited Vulnerabilities Catalog
- BleepingComputer Coverage: CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
- The Hacker News Coverage: CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog
- Shodan Exposure Query: Serv-U internet-exposed instances
- Historical Context — CVE-2021-35211 (Clop): BleepingComputer — Clop gang exploiting Serv-U