Description
SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update
Published: 2026-06-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SolarWinds Serv-U is vulnerable to specially crafted POST requests that crash the service, leading to an unauthenticated denial of service. The issue is triggered when the request includes the header Content-Encoding: deflate, which the application processes without proper validation, resulting in a service outage for users relying on Serv‑U.

Affected Systems

The vulnerability affects SolarWinds Serv-U; the advisory specifies that Serv‑U 15.5.4 Hotfix 1 contains the fix, so any installation that has not applied this hotfix or a later update is potentially impacted. No other product variants are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely over the network by sending a crafted POST request with the deflate header, and authentication is not required, making the attack straightforward.

Generated by OpenCVE AI on June 4, 2026 at 15:22 UTC.

Remediation

Vendor Solution

Upgrade to SolarWinds Serv-U 15.5.4 Hotfix 1. Use the mitigation steps until the upgrade is possible.

Vendor Workaround

Block any POST requests containing 'Content-Encoding: deflate'. This function is not required for SolarWinds Serv-U.

OpenCVE Recommended Actions

  • Apply the Serv‑U 15.5.4 Hotfix 1 update
  • Block any POST requests that contain the header 'Content-Encoding: deflate'
  • Monitor the service for crash events and verify that the mitigation is effective

Generated by OpenCVE AI on June 4, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update
Title SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published:

Updated: 2026-06-04T15:12:33.510Z

Reserved: 2026-02-26T14:46:41.520Z

Link: CVE-2026-28318

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T15:16:50.407

Modified: 2026-06-04T15:35:18.623

Link: CVE-2026-28318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:30:17Z

Weaknesses