CVE-2026-28318 is an unauthenticated denial-of-service vulnerability in SolarWinds Serv-U, rated CVSS 7.5. An attacker sends a POST request with Content-Encoding: deflate to a Serv-U instance without any credentials, and the service crashes. No authentication, no prior access, no special network position required. CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on June 5, 2026, with a remediation deadline of June 19.

SolarWinds published Serv-U 15.5.4 Hotfix 1 on June 4.

What the bug does

Serv-U mishandles deflate-encoded POST request bodies. Feeding it a specially crafted payload of this type causes uncontrolled resource consumption (CWE-400) that terminates the process. The crash requires no session, no login, and no prior knowledge of the target beyond its IP and port.

The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Network-reachable, low complexity, no privileges, no user interaction. Availability goes to zero; confidentiality and integrity are unaffected. That profile puts it on the lower end of HIGH, but the no-auth, one-request nature makes it operationally simple to use at scale.

All Serv-U versions before 15.5.4 are affected. Version 15.5.4 without Hotfix 1 is also affected.

How to patch

Hotfix 1 for Serv-U 15.5.4 is a manual archive extraction, not a package manager update. The procedure:

  1. Shut down Serv-U from the system tray icon (Windows) or stop the service (Linux).
  2. Back up the existing binaries and configuration files. SolarWinds specifies which files by OS in the release notes.
  3. Extract the hotfix archive to a temporary directory.
  4. Copy the extracted contents into the Serv-U installation directory. Default paths: C:\Program Files\RhinoSoft\Serv-U on Windows, /usr/local/Serv-U on Linux.
  5. On Linux, set the correct permissions on the Serv-U binary after copying: 
    chmod u+xs /usr/local/Serv-U/Serv-U
  6. Restart the Serv-U tray application and the service.

Verify the version shows 15.5.4 Hotfix 1 in the Serv-U management console after restart.

If you cannot patch by June 19

CISA's KEV deadline applies to federal agencies under BOD 22-01, but it is a reasonable target for anyone running Serv-U in a production environment. If you cannot apply the hotfix on that timeline:

  • Place Serv-U behind a firewall rule that restricts inbound POST requests to known IP ranges. This reduces the attack surface but does not eliminate it if your authorized client IP space is large or dynamic.
  • Monitor Serv-U process health and set up automatic service restart. This does not prevent the crash, but it limits downtime per incident until you can patch.

Neither option is a substitute for the hotfix. Serv-U has been on CISA's radar repeatedly. KEV listings for SolarWinds products have historically preceded active scanning campaigns within days of publication.

Sources