Vulnerability Analysis

CVE-2026-28318: SolarWinds Serv-U Unauthenticated DoS — Actively Exploited, Patch Now

Executive Summary

CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog on June 5, 2026, confirming active in-the-wild exploitation of a high-severity denial-of-service flaw in SolarWinds Serv-U managed file transfer software. An unauthenticated remote attacker can crash the Serv-U service with a single specially crafted HTTP POST request containing a Content-Encoding: deflate header, requiring zero privileges and zero user interaction. With over 12,000 Serv-U servers currently exposed on the internet and SolarWinds' history as a prime ransomware target, organizations running Serv-U must patch to version 15.5.4 Hotfix 1 immediately — federal agencies face a hard CISA deadline of June 19, 2026.


1. What Is This Vulnerability?

CVE-2026-28318 is an uncontrolled resource consumption vulnerability (CWE-400) in SolarWinds Serv-U's HTTP request handling layer. When Serv-U receives a POST request with the Content-Encoding: deflate header, it attempts to decompress the body without enforcing adequate resource limits. This causes the server process to exhaust memory or CPU until it crashes — a classic "decompression bomb" pattern applied to the HTTP content-encoding pipeline.

The vulnerability is notable for what it lacks: it requires no authentication, no existing session, no valid credentials, and no cooperation from a logged-in user. Any network-reachable Serv-U instance is exposed by default.

Attack Vector

The attack is trivially simple. A single crafted request is sufficient:

POST /Web%20Client/Login.htm HTTP/1.1
Host: <target-servu-server>
Content-Encoding: deflate
Content-Length: <large_value>

<malformed or oversized deflate-encoded payload>

The Serv-U service attempts to inflate the body, consuming unbounded memory in the process. Depending on system resources and payload size, the crash occurs within seconds to minutes. Because the service runs as a Windows service or Linux daemon, crashing it halts all file transfer operations — FTP, FTPS, SFTP, HTTP/HTTPS — until the service is manually or automatically restarted.

An attacker can sustain the DoS by repeatedly sending the crafted request, preventing recovery between restarts.

Real-World Impact

CISA's KEV addition confirms threat actors are actively exploiting this flaw in the wild as of June 5, 2026. While specific attribution has not been publicly disclosed, Serv-U has been a repeated target of high-profile threat actors:

  • 2021 (CVE-2021-35211): The Clop ransomware gang exploited a Serv-U RCE vulnerability to breach corporate networks. DEV-0322, a Chinese APT group, simultaneously exploited the same zero-day in targeted espionage campaigns.
  • 2024 (CVE-2024-28995): A path-traversal flaw was weaponized within days of disclosure, with GreyNoise and Rapid7 documenting mass exploitation.

CVE-2026-28318 follows this pattern — weaponized rapidly after patch release, likely as an availability attack or as a precursor to follow-on exploitation once defenders' attention is divided.


2. Who Is Affected?

All SolarWinds Serv-U installations prior to version 15.5.4 Hotfix 1 are vulnerable on both Windows and Linux. This includes:

  • SolarWinds Serv-U Managed File Transfer (MFT) Server
  • SolarWinds Serv-U FTP Server
  • Any deployment exposing Serv-U's HTTP/HTTPS interface (port 80/443 by default) to untrusted networks

Exposure scale: Shodan currently tracks over 12,000 Serv-U servers with internet-facing interfaces. Shadowserver independently identifies approximately 3,100 exposed instances, though the discrepancy likely reflects differing detection methodologies rather than the true exposure count.

Not affected: Serv-U 15.5.4 HF1 and later. Organizations that have already applied this hotfix are not vulnerable.


3. How to Detect It (Testing)

Manual Testing Steps

Warning: Only perform these tests against systems you own or have explicit written authorization to test. Sending this request to a production server will crash it.

Step 1: Identify exposed Serv-U instances

Use Shodan or your asset inventory to locate Serv-U servers. The Shodan query "Serv-U FTP Server" returns internet-facing instances. Internally, check for hosts running the Serv-U Windows service (SolarWinds Serv-U) or Linux daemon.

Step 2: Check version before testing

Connect to the Serv-U web interface (typically https://<host>/Web%20Client/) and inspect the server response headers or login page footer for the version string. If it shows 15.5.4 HF1 or later, the system is patched.

Step 3: Confirm vulnerability (non-destructive check)

Review Serv-U logs for prior crash events tied to unusual Content-Encoding headers:

# Windows — Serv-U log path (default):
C:\ProgramData\RhinoSoft\Serv-U\Serv-U.log

# Linux:
/var/log/Serv-U/Serv-U.log

Search for log entries with HTTP 500 errors or abrupt service termination timestamps that correlate with incoming POST requests.

Automated Scanning

Nuclei template check (version-based):

# Install Nuclei if not present:
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Run against target (version fingerprint only — non-destructive):
nuclei -u https://<target> -t technologies/serv-u-detect.yaml -silent

Check the detected version against the patched threshold (15.5.4 HF1+).

Nmap version detection:

nmap -sV -p 21,22,80,443,9999 <target-ip>
# Look for "Serv-U" in service banner output

Internal asset audit (PowerShell — Windows):

# Find all Serv-U installations and their versions across your network
Get-WmiObject -Class Win32_Product -Filter "Name LIKE 'Serv-U%'" |
  Select-Object Name, Version, InstallDate |
  Export-Csv servu-inventory.csv -NoTypeInformation

Code Review Checklist

For organizations running Serv-U behind a reverse proxy or WAF:

  • Confirm WAF rules exist to block or inspect POST requests with Content-Encoding: deflate to Serv-U endpoints
  • Verify IP allowlists are enforced at the firewall level for Serv-U HTTP/HTTPS ports
  • Confirm Serv-U is not directly internet-exposed without an intermediate proxy layer
  • Verify service restart monitoring and alerting is configured (unexpected Serv-U process termination should page on-call)

4. How to Fix It (Mitigation)

Step-by-Step Remediation

Primary fix: Apply the patch

  1. Download Serv-U 15.5.4 Hotfix 1 from the SolarWinds Customer Portal: https://customerportal.solarwinds.com/
  2. Back up the current Serv-U configuration directory before applying:
    # Windows default:
    C:\ProgramData\RhinoSoft\Serv-U\
    
    # Back up to safe location:
    xcopy /E /I "C:\ProgramData\RhinoSoft\Serv-U" "D:\Backup\Serv-U-backup-%date%"
    
  3. Stop the Serv-U service:
    net stop "Serv-U"
    
  4. Run the Hotfix 1 installer and follow the prompts.
  5. Start the service:
    net start "Serv-U"
    
  6. Verify the updated version in the Serv-U management console under Help > About.

Interim Mitigations (If Immediate Patching Is Not Possible)

SolarWinds has published two interim controls that significantly reduce exposure without requiring the hotfix:

Mitigation 1: Restrict access to known IP addresses

In the Serv-U management console, navigate to Domains > Listeners and configure IP access rules to allow connections only from known, trusted IP ranges. Deny all others by default.

Mitigation 2: Block POST requests containing content-encoding at the network perimeter

Since the vulnerable Serv-U service does not use Content-Encoding for any legitimate functionality, this header can be safely blocked without impacting normal operations.

Example WAF/firewall rule (NGINX upstream proxy):

# Block requests with Content-Encoding header destined for Serv-U
location / {
    if ($http_content_encoding) {
        return 403 "Content-Encoding not permitted";
    }
    proxy_pass http://servu-backend;
}

Example iptables rule (Linux perimeter):

# Drop POST packets to Serv-U HTTP port from unauthenticated sources
# (Layer 7 filtering requires an application-aware proxy for full efficacy)
# Pair with IP allowlist for defense-in-depth
iptables -I INPUT -p tcp --dport 443 -m string \
  --string "content-encoding" --algo bm -j DROP

Note: String-matching rules at the iptables level are a best-effort control and should be paired with IP allowlisting for meaningful protection.


5. How to Test the Fix (Validation)

Regression Test Scenarios

Scenario A: Confirm service is running updated version

After applying HF1, verify the version string in the management console and via the HTTP banner:

curl -sk https://<target>/Web%20Client/ | grep -i "serv-u\|version"

Expected: Version 15.5.4 HF1 or later.

Scenario B: Confirm normal file transfer functionality is intact

Test FTP, SFTP, and HTTPS file transfers using a test account to confirm the hotfix did not break legitimate operations.

Scenario C: Confirm mitigation rules are enforced (if patch not yet applied)

Send a test POST with Content-Encoding: deflate from an external test host and confirm the request is rejected at the WAF or perimeter without reaching Serv-U:

curl -sk -X POST https://<target>/Web%20Client/Login.htm \
  -H "Content-Encoding: deflate" \
  -d "test=1"
# Expected: 403 Forbidden (from WAF), NOT a crash

Security Test Cases

Test Case 1: Verify CVE-2026-28318 is no longer exploitable

  • Precondition: Serv-U 15.5.4 HF1 applied to a non-production test instance
  • Steps: Send a POST request with Content-Encoding: deflate and a large/malformed payload to the Serv-U web interface
  • Expected result: Request is rejected with an HTTP error code (400 or 500); service remains running and responsive to subsequent legitimate requests
  • Pass criteria: No service crash; Serv-U continues serving FTP/SFTP/HTTPS sessions normally

Test Case 2: Verify WAF blocks the attack vector

  • Precondition: WAF rule blocking Content-Encoding header is active
  • Steps: Send the crafted POST request from an external test host
  • Expected result: WAF returns 403; request never reaches Serv-U backend
  • Pass criteria: Serv-U logs show no record of the request; WAF logs record the block event

Automated Post-Patch Health Check

#!/bin/bash
# servu-health-check.sh — run after patching to confirm service stability

HOST="https://your-servu-server"
PASS=0

echo "[1] Checking Serv-U web interface availability..."
HTTP_CODE=$(curl -sk -o /dev/null -w "%{http_code}" "$HOST/Web%20Client/")
if [ "$HTTP_CODE" = "200" ]; then
  echo "  PASS: Web interface reachable (HTTP $HTTP_CODE)"
  PASS=$((PASS+1))
else
  echo "  FAIL: Web interface returned HTTP $HTTP_CODE"
fi

echo "[2] Checking Content-Encoding rejection..."
BLOCK_CODE=$(curl -sk -o /dev/null -w "%{http_code}" -X POST \
  -H "Content-Encoding: deflate" -d "test=1" \
  "$HOST/Web%20Client/Login.htm")
if [ "$BLOCK_CODE" != "200" ] && [ "$BLOCK_CODE" != "000" ]; then
  echo "  PASS: Content-Encoding POST rejected (HTTP $BLOCK_CODE)"
  PASS=$((PASS+1))
else
  echo "  WARN: Content-Encoding POST not explicitly blocked — verify WAF rules"
fi

echo ""
echo "Health check complete. $PASS/2 checks passed."

6. Prevention & Hardening

Best Practices

Minimize internet exposure. Serv-U should never be directly internet-accessible without a hardened reverse proxy or application delivery controller in front of it. Place Serv-U behind a WAF that terminates TLS, inspects HTTP headers, and enforces request rate limits.

Apply patches within 24–72 hours of release. SolarWinds has an established pattern of Serv-U vulnerabilities being weaponized days after disclosure. A patch SLA of 30 days is not adequate for this product — treat Serv-U patches as emergency-priority updates.

Enforce IP allowlisting. File transfer servers rarely need to accept connections from arbitrary internet sources. Maintain an allowlist of known client IP addresses or CIDR ranges and deny all others at the firewall level.

Monitor for unexpected service restarts. Configure your monitoring stack to alert on Serv-U process termination. In Windows environments, Event ID 7034 (service terminated unexpectedly) in the System event log is a reliable indicator of a crash-based DoS attack in progress.

Segment Serv-U from critical infrastructure. Serv-U servers should be network-isolated from internal domain controllers, databases, and other sensitive systems. Historical ransomware campaigns (Clop, 2021) used Serv-U as an initial foothold before pivoting internally.

Monitoring & Detection

Log sources to monitor:

  • Serv-U application logs: Watch for bursts of HTTP 500 errors or abrupt truncation of log entries (indicating crash)
  • Windows Event Log: System channel, Event ID 7034 (SolarWinds Serv-U service terminated unexpectedly)
  • WAF/proxy access logs: Anomalous POST requests to Serv-U endpoints, especially with Content-Encoding headers
  • Network flow data: High-volume POST traffic to Serv-U ports from a single source — a potential sustained DoS attempt

SIEM detection rule (pseudo-code):

RULE: SolarWinds Serv-U DoS Attempt (CVE-2026-28318)
  SOURCE: WAF logs OR web access logs
  CONDITION:
    http.method == "POST"
    AND http.uri CONTAINS "/Web%20Client/"
    AND http.headers CONTAINS "content-encoding"
    AND destination.port IN (80, 443, 9999)
  THRESHOLD: 1 occurrence
  SEVERITY: High
  ACTION: Alert SOC, block source IP, initiate incident ticket

SIEM detection rule (Serv-U crash indicator):

RULE: SolarWinds Serv-U Service Crash (Active DoS)
  SOURCE: Windows Event Log
  CONDITION:
    EventID == 7034
    AND ServiceName CONTAINS "Serv-U"
  THRESHOLD: 1 occurrence in 5 minutes
  SEVERITY: Critical
  ACTION: Page on-call, initiate IR runbook

References

Latest from the blog

See all →