US Public Data LabU.S. public data, made readable
EN
日本語 English
High Known exploited (KEV) CVE-2026-28318

Denial-of-service flaw in SolarWinds Serv-U (CVE-2026-28318) — crashing file transfer without authentication

SolarWinds Serv-U Added to KEV Jun 5, 2026 Federal remediation due 2026-06-19

SolarWinds Serv-U, a file-transfer server, has an uncontrolled-resource-consumption (DoS) flaw: without authentication, a crafted POST request using a deflate Content-Encoding header can crash the Serv-U service. CISA listed it as known-exploited (KEV) (CVSS 7.5 High, per NVD).

Key facts

  • CVE IDCVE-2026-28318
  • CVSS base score7.5 HIGH
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Affected (vendor / product)SolarWinds Serv-U
  • CWECWE-400
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-06-19 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • Uncontrolled resource consumption (CWE-400) in SolarWinds Serv-U (a file-transfer server)
  • Without authentication, a crafted deflate-encoded POST can crash the service (DoS)
  • Impact is availability only (not data theft), but it can halt core file exchange
  • Listed in CISA KEV = exploitation confirmed; CVSS 7.5 High, per NVD
  • Response: apply SolarWinds' fix and review exposure (remediation deadline June 19, 2026)

CVE-2026-28318 is an uncontrolled-resource-consumption vulnerability (CWE-400) in SolarWinds Serv-U (a widely used file-transfer server providing MFT — managed file transfer — and FTP).

Per public information, an unauthenticated attacker can crash the Serv-U service by sending a specially crafted POST request using the Content-Encoding: deflate header. This is a denial-of-service (DoS) — deliberately exhausting the server's processing resources to bring it down.

The impact is availability only (no confidentiality or integrity impact — data is not stolen). However, file transfer often underpins core business (data exchange with partners, batch integrations), so an outage halts operations. Serv-U has been a target before, so CISA listing it as known-exploited carries weight.

Key response: check SolarWinds' official information, identify affected versions, and apply the fix. CISA required federal civilian agencies to remediate by June 19, 2026. If it is internet-facing, prioritize accordingly and consider narrowing exposure (limit to necessary parties) and strengthening access control.

Why it matters

Concerns the availability of organizations using Serv-U for partner data exchange and system integration. Because an outage can be triggered remotely without authentication, prompt patching plus minimizing exposure and strengthening access control are the priorities. It underscores protecting core file-transfer infrastructure.

FAQ

What is Serv-U?
A SolarWinds file-transfer server — an MFT/FTP product that enterprises use for data exchange with partners and system-to-system integration.
If it is only DoS, is it minor?
No data is stolen, but file transfer often underpins core business, so an outage stops operations. Combined with the fact that it can be triggered remotely without authentication, the practical impact is not small.
What should I do?
Check SolarWinds' official information for affected versions and apply the fix. If internet-facing, it is high-priority; also consider narrowing exposure and strengthening access control.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#SolarWinds#File transfer#DoS#Availability#MFT

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.