Description
SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update
Published: 2026-06-04
Score: 7.5 High
EPSS: 10.7% Moderate
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

SolarWinds Serv-U is vulnerable to specially crafted POST requests that crash the service, leading to an unauthenticated denial of service. The issue is triggered when the request includes the header Content-Encoding: deflate, which the application processes without proper validation, resulting in a service outage for users relying on Serv-U.

Affected Systems

The vulnerability affects SolarWinds Serv-U; the advisory specifies that Serv-U 15.5.4 Hotfix 1 contains the fix, so any installation that has not applied this hotfix or a later update is potentially impacted. No other product variants are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of 11% indicates an exploitation probability of roughly 11% and the vulnerability is listed in the CISA KEV catalog. An attacker can exploit the flaw remotely over the network by sending a crafted POST request with the deflate header, and authentication is not required, making the attack straightforward.

Generated by OpenCVE AI on June 24, 2026 at 12:15 UTC.

Remediation

Vendor Solution

Upgrade to SolarWinds Serv-U 15.5.4 Hotfix 1. Use the mitigation steps until the upgrade is possible.

Vendor Workaround

Block any POST requests containing 'Content-Encoding: deflate'. This function is not required for SolarWinds Serv-U.

OpenCVE Recommended Actions

  • Apply the Serv-U 15.5.4 Hotfix 1 update
  • Block any POST requests that contain the header 'Content-Encoding: deflate'
  • Monitor the service for crash events and verify that the mitigation is effective

Generated by OpenCVE AI on June 24, 2026 at 12:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-05T00:00:00+00:00', 'dueDate': '2026-06-19T00:00:00+00:00'}

Thu, 04 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*
cpe:2.3:a:solarwinds:serv-u:15.5.4:-:*:*:*:*:*:*

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Solarwinds
Solarwinds serv-u
Vendors & Products Solarwinds
Solarwinds serv-u

Thu, 04 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update
Title SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Solarwinds Serv-u
cve-icon MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published:

Updated: 2026-06-06T03:55:57.072Z

Reserved: 2026-02-26T14:46:41.520Z

Link: CVE-2026-28318

cve-icon Vulnrichment

Updated: 2026-06-04T15:10:26.345Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T15:16:50.407

Modified: 2026-06-05T19:32:38.510

Link: CVE-2026-28318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption