CISA: SolarWinds Serv-U Vulnerable to Remote Crashes via HTTP Header

On June 5, 2026, CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation of a Denial of Service (DoS) flaw in SolarWinds Serv-U. A remote, unauthenticated attacker crashes the file transfer service by sending a POST request containing a Content-Encoding: deflate header. US federal agencies must apply patches by June 19, 2026, to comply with Binding Operational Directive 22-01.

A Single Header is Enough: How the Attack Works

The vulnerability lies in how Serv-U handles the Content-Encoding: deflate header in incoming POST requests. Classified as CWE-400 (Uncontrolled Resource Consumption), the flaw allows specially crafted requests to trigger abnormal resource usage that freezes the service.

The attack vector is entirely network-based and requires no authentication, user interaction, or prior privileges. The attack complexity is low, which significantly lowers the barrier for actors intending to disrupt file transfer operations. As documented in the CVSS score, the impact is limited to availability: the service simply stops responding.

This specific configuration—network-accessible, low complexity, no privileges, and high availability impact—explains why CISA has accelerated the federal remediation timeline. An enterprise file transfer service that can be crashed on remote command represents a critical operational weakness, particularly for environments managing B2B, healthcare, or financial data flows.

"SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service without authentication" — CISA Known Exploited Vulnerabilities Catalog

The Evidence Chain: From CVE to KEV

The CVE-2026-28318 record, published on cve.org, assigns a 7.5 HIGH severity score and specifies the full vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This level of technical granularity provides a solid foundation for risk assessment. The confirmed lack of impact on confidentiality and integrity (C:N, I:N) precisely defines the threat perimeter.

The convergence of the structured CVE record and the government KEV catalog is the core of this alert. CISA does not add vulnerabilities to the catalog without evidence of active exploitation; therefore, the inclusion of CVE-2026-28318 documents that the deflate mechanism has been observed in real-world operations, not just theoretical scenarios. SC World, which first reported the news on June 5, 2026, confirms this reading, describing the vulnerability as "recently patched" and the exploit as active.

Some details remain unknown. The CVE record does not list the specific affected versions of Serv-U, nor the exact release date of the SolarWinds patch. Furthermore, the volume of observed attacks, the presence of public proof-of-concept code, and attribution to specific threat actors are not available in current documentation. CISA classifies the ransomware purpose as "Unknown," as it is not yet documented whether the vulnerability is being used as an initial access point for extortion campaigns or for simple operational sabotage.

The SolarWinds Context: A Recurring Pattern

The addition of CVE-2026-28318 to the KEV catalog is not an isolated incident within the SolarWinds portfolio. Contextual sources indicate that CISA has previously cataloged other vulnerabilities from the vendor, including CVE-2021-22054 in the Web Help Desk product. This recurrence raises questions regarding the overall security posture of the SolarWinds ecosystem, which remains under scrutiny following the 2020 SUNBURST supply chain incident.

However, the difference from SUNBURST is substantial: CVE-2026-28318 is a surface-level flaw rather than a deep-seated compromise. It does not breach the supply chain, install backdoors, or require months of persistence. Yet, its operational lethality is immediate: one malformed header and the service collapses. This profile—low sophistication combined with high availability impact—is exactly what enterprise defenses often underestimate while focusing on more complex threats.

Recent history shows that SolarWinds continues to generate KEV catalog entries with concerning frequency. The proximity of various CVE additions (March 2026 for other entries, June 2026 for Serv-U) suggests an exposure rhythm that the vendor has yet to stabilize. While the available data does not establish a common cause, the pattern remains a fact for those conducting vendor risk assessments.

Remediation Steps

• Verify the patch status of all production SolarWinds Serv-U instances, prioritizing services exposed on the network perimeter or accessible from untrusted networks.
• Apply the update released by SolarWinds immediately; CISA explicitly recommends that the private sector act with the same urgency as federal agencies.
• If an immediate update is not feasible, consult the SolarWinds Trust Center for the mitigation steps documented in the CVE record, which provide alternative countermeasures.
• Monitor logs for anomalous POST requests containing the Content-Encoding: deflate header directed at Serv-U endpoints, flagging repeated patterns from unauthenticated sources.

Why Vector Simplicity is the Real Problem

The most alarming aspect of this vulnerability is not its sophistication, but the lack thereof. A standard HTTP header, used legitimately in millions of applications, is here transformed into a lever to shut down an enterprise service. This weaponization of an ordinary protocol makes CVE-2026-28318 particularly insidious for perimeter defenses.

Infrastructures that rely on Serv-U for regulated transfers—such as healthcare data, financial flows, or critical B2B exchanges—cannot tolerate unscheduled downtime. The primary risk is not data theft, but the disruption of operational continuity at uncontrolled moments. By imposing a federal deadline just three weeks after the alert, CISA has acknowledged this temporal fragility.

For the private sector, the June 19, 2026, deadline serves as a benchmark, not a suggestion. CISA’s recommendation to "apply mitigations or discontinue use" if a patch is unavailable underscores the perceived severity. The decision to maintain, replace, or isolate Serv-U must be made with this perspective in mind.

Frequently Asked Questions

Does this vulnerability allow for data theft or code execution?

No. CVSS v3.1 documents zero impact on confidentiality and integrity (C:N, I:N); the only effect is service termination, impacting availability (A:H).

Is authentication required to exploit the flaw?

No. The PR:N (Privileges Required: None) vector in the CVSS score and the CISA description confirm the attack works without authentication.

Was the vulnerability discovered on June 19, 2026?

No. That date is the BOD 22-01 deadline imposed by CISA for federal agencies to apply the patch. The exact discovery date and the date it was added to the KEV catalog are not specified in the available sources.

Sources

• https://www.scworld.com/brief/hackers-actively-exploit-solarwinds-serv-u-flaw-to-crash-servers-cisa-warns
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://thehackernews.com/2026/03/cisa-flags-solarwinds-ivanti-and.html
• https://nvd.nist.gov/general/news/cisa-exploit-catalog
• https://www.cve.org/CVERecord?id=CVE-2026-28318
• https://www.cve.org/CVERecord?id=CVE-2021-22054
• https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
• https://thehackernews.com/