CVE-2026-28318: One POST Request Takes Down SolarWinds Serv-U

Picture this: your file transfer server handles hundreds of corporate clients — financial reports, backups, sensitive documents moving around the clock. At 3 AM, someone sends a single HTTP request. Serv-U crashes. All transfers stop. By morning, the phones are ringing.

That’s CVE-2026-28318 — a Denial of Service vulnerability in SolarWinds Serv-U, scored CVSS 7.5 (High), classified as CWE-400: Uncontrolled Resource Consumption. The patch landed on June 4, 2026 — Serv-U 15.5.4 Hotfix 1. One day later, on June 5, CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog: active exploitation confirmed in the wild.

The trigger is a crafted POST request with a Content-Encoding: deflate header. No authentication. No user interaction. No privileges. The service goes down.

WHAT IS SERV-U

If you’ve worked in enterprise infrastructure, you know the problem: how do you move a large file between two organizations securely, reliably, with proper logging and access control — and have it work for both the accountant running a 2006-era FTP client and the partner hitting an HTTPS endpoint from a browser? That’s exactly the gap Serv-U fills. It’s a Managed File Transfer (MFT) server for Windows and Linux, supporting FTP, FTPS, SFTP, HTTP, and HTTPS simultaneously. Banks use it to push statements to payment processors. Hospitals use it to exchange DICOM images between facilities. Manufacturers use it to route EDI documents through supply chains. Serv-U is the kind of infrastructure nobody thinks about — until it goes down.

By design, Serv-U faces the internet. That’s what it’s for. Shodan currently tracks over 12,000 Serv-U servers with open network access. Shadowserver puts the number around 3,100. The discrepancy comes down to scanning methodology, but the point stands: thousands of Serv-U installations are reachable from anywhere on the internet, and a significant portion haven’t been patched yet.

For attackers, Serv-U has a long history as a high-value target. In 2021, the Chinese state-sponsored group DEV-0322 was first to weaponize CVE-2021-35211 — an RCE in Serv-U — as a zero-day before SolarWinds even had a patch ready. TA505 (the threat actor behind Clop/FIN11 ransomware) later picked up the same flaw to breach corporate networks and deploy ransomware. In 2024, a Serv-U path traversal bug, CVE-2024-28995, was actively exploited by GreyNoise-tracked actors. The current score: CISA has cataloged 11 SolarWinds vulnerabilities as actively exploited. CVE-2026-28318 will be the twelfth. Security researchers have long noted that Serv-U gets tested whenever there’s an opportunity — and the track record shows those tests often succeed.

HOW THE VULNERABILITY WORKS

The Content-Encoding HTTP header is an instruction to the server: “the request body is compressed with this algorithm — decompress it before processing.” One valid value is deflate, a compression scheme based on LZ77 and Huffman coding. The logic is straightforward: the client compresses data to save bandwidth, the server receives it and decompresses. The problem is that Serv-U puts no limits on that decompression — no cap on memory allocated, no cap on CPU time consumed. Think of a pump with no pressure relief valve: it’ll keep pumping until something breaks.

CWE-400 (Uncontrolled Resource Consumption) describes exactly this pattern: an application allocates resources in response to incoming data without enforcing any upper bound. The attacker sends a specially crafted compressed payload, and Serv-U starts consuming memory or CPU without stopping. No limit, no brake, until the service exhausts available resources and crashes. Crucially, all of this happens before authentication. Serv-U accepts and begins processing the request before it ever checks who sent it — which means the attacker doesn’t need credentials at all.

The technical simplicity is part of why this hit the KEV catalog within 24 hours of the patch going public. There’s no vulnerability chain to build, no specialized tooling required, no reverse engineering needed. Just an HTTP client and one header. The barrier to entry for the attacker is as low as it gets; the potential impact on the victim is not.

REAL-WORLD ATTACK CHAIN

It starts with Shodan. A search on the Serv-U banner returns thousands of results with IPs, ports, and version strings. The attacker picks a target — or grabs the whole list. Then comes a single HTTP POST to any Serv-U endpoint with a Content-Encoding: deflate header and a crafted body. No login, no session token. Serv-U accepts the request, starts decompressing, and begins consuming resources with no stop condition. Depending on available RAM and CPU, the service crashes within seconds or minutes.

What does the admin see? Best case: a monitoring alert that the service is down. Worst case: a morning call from users who can’t connect. In Serv-U’s logs — an abrupt termination with no meaningful error message, typical of a process crash. Nothing in the authentication logs, because authentication never happened. Figuring out the root cause from logs alone, in the middle of an incident, is genuinely difficult.

If Serv-U is configured to restart automatically, the attacker just sends another request. The service comes back up and goes straight back down. That loop can run indefinitely. For a botnet operator, this attack is particularly attractive: unlike volumetric DDoS that requires flooding a pipe with gigabits of traffic and gets noticed upstream, a handful of well-crafted requests is enough. A botnet of a few hundred nodes, each sending one request per minute, keeps Serv-U in a permanent crash loop — with no traffic volume that would raise flags at the provider level. Quiet and effective.

TIMELINE

SolarWinds reserved the CVE identifier on February 26, 2026 — meaning the vulnerability was reported to them in February, months before any public disclosure. The official advisory appeared in their Trust Center on June 3. The patch — Serv-U 15.5.4 Hotfix 1 — shipped on June 4. The gap between CVE reservation and patch release was over three months, which is a standard coordinated disclosure window: the researcher gives the vendor time to fix before going public.

On June 5 — one day after the patch — CISA added CVE-2026-28318 to the KEV catalog. That means exploitation was already happening before the patch even dropped. How long before? Unknown. Given the history of MFT vulnerabilities being exploited pre-patch, it’s entirely plausible that attacks started before June 4. The remediation deadline for U.S. Federal Civilian Executive Branch agencies is June 19, 2026, under Binding Operational Directive BOD 22-01.

WHY IT MATTERS

DoS vulnerabilities tend to get dismissed: “server crashed, rebooted, back to work.” That logic falls apart the moment you’re talking about an MFT server. Serv-U isn’t a landing page. It’s the transport layer for business processes. The bank can’t send its end-of-day file to the payment processor. The hospital doesn’t receive imaging data from another facility. The manufacturer can’t push its shipping documents to the partner. SLA breached. Fines. Hours of manual recovery. Reputational damage — all from a single HTTP request that cost the attacker nothing.

There’s a darker angle too. Serv-U doesn’t get attacked by bored script kiddies — it gets targeted deliberately, for data. DEV-0322 used Serv-U to conduct espionage against U.S. defense contractors and technology companies. TA505/Clop used it as an initial access point for ransomware deployment and corporate data theft. A DoS attack can itself be reconnaissance: the attacker finds out which servers run Serv-U, how fast the security team responds, whether auto-restart is configured. With those answers, they come back with something more damaging. CISA doesn’t add things to KEV for paperwork. This means someone is actively breaking in, and not just one someone.

There’s also the silent failure risk. If Serv-U is a link in a nightly backup pipeline or an EDI integration, its downtime may not surface immediately. The backup quietly didn’t run. The EDI documents never reached the partner. That surfaces hours later, or the next morning — by which point the consequences have already compounded.

WHAT TO DO

The only complete fix is upgrading to Serv-U 15.5.4 Hotfix 1, available through the SolarWinds Customer Portal. One important detail: all versions up to and including 15.5.4 are vulnerable if the hotfix hasn’t been applied. If you upgraded to 15.5.4 but skipped the hotfix, you’re still exposed. Package inventory tools may see “15.5.4” and consider the system current — that’s the trap. Verify the exact build number inside the application itself.

If patching right now isn’t possible — change freeze, approval chain, fear of breaking something in production — SolarWinds officially recommends two compensating controls. First: restrict access to Serv-U to known, trusted IP addresses. If you have a list of partners and clients that actually connect to the server, whitelist them and block everything else at the firewall. Second: block any POST requests containing a Content-Encoding header. SolarWinds explicitly states that Serv-U doesn’t use this functionality — blocking it won’t break legitimate traffic.

One thing worth flagging: there’s no command-line way to check which version of Serv-U is installed. It doesn’t register with the system package manager — dpkg -l and rpm -qa won’t see it. The version is only visible in the Serv-U web admin interface under Setup → Information. Updates are applied via SolarWinds’ own installer, downloaded manually from the Customer Portal. This is exactly why automated inventory tools may report a stale version or miss Serv-U entirely — verify through the interface, by hand.

SolarWinds published example rules for common WAF and proxy solutions in their advisory. For nginx, the advisory suggests nested if blocks — but nginx doesn’t support nested if directives; that’s a known engine limitation. The working approach uses a variable: set it when each condition matches, then check the combined result in a single if:

set $block_deflate_post 0;
if ($request_method = POST) {
    set $block_deflate_post 1;
}
if ($http_content_encoding ~* deflate) {
    set $block_deflate_post "${block_deflate_post}1";
}
if ($block_deflate_post = "11") {
    return 403;
}

For ModSecurity with CRS, the rule runs in phase 1 (before the request body is read) and uses a chain: the first rule matches the method, the chain flag requires the next rule to also match. Add this before including CRS in your config — id:100100 needs to be free to avoid conflicts:

SecRule REQUEST_METHOD "@streq POST" "id:100100,phase:1,deny,status:403,chain"
    SecRule REQUEST_HEADERS:Content-Encoding "@contains deflate"

If Cloudflare WAF sits in front of Serv-U, create a Custom Rule under Security → WAF. The expression matches both the header and the method; set the action to Block:

(http.request.headers["content-encoding"][*] contains "deflate" and http.request.method eq "POST")

A note on nftables: it operates at L3/L4 and has no visibility into HTTP header contents. Filtering on Content-Encoding at the nftables level isn’t possible — that belongs at the WAF or reverse proxy layer. If nginx already sits in front of Serv-U, the rule above covers the attack vector completely.

After applying either the patch or the compensating controls, pull Serv-U’s logs for the past few weeks and look for POST requests carrying a Content-Encoding: deflate header. If they’re there, attempts were already made — and the question becomes whether any of them landed.

CONCLUSIONS

CVE-2026-28318 is technically simple and operationally dangerous. One request, no credentials, service crashes. The fix is out — Serv-U 15.5.4 Hotfix 1, released June 4. CISA has confirmed active exploitation. Federal agencies have until June 19.

If Serv-U is in your infrastructure: patch now. If patching requires approval cycles, block POST requests with Content-Encoding: deflate today — it won’t break anything legitimate. Then patch.