Unauthenticated DoS in SolarWinds Serv‑U (CVE‑2026‑28318) Added to CISA KEV Catalog – Service Disruption Risk
What It Is – A remote, unauthenticated denial‑of‑service (DoS) flaw in SolarWinds Serv‑U (CVE‑2026‑28318) allows an attacker to crash the file‑transfer service by sending a crafted HTTP POST request with a Content‑Encoding: deflate header.
Exploitability – The vulnerability is publicly known, listed in the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog, and has a CVSS v3.1 score of 7.5 (High). No public exploit code is required; the attack works without credentials.
Affected Products – SolarWinds Serv‑U 15.5.4 and earlier versions. The issue is mitigated in Serv‑U 15.5.4 HF1 and later.
TPRM Impact –
- Disruption of managed file‑transfer services can halt critical data flows between your organization and third‑party vendors.
- Service‑level‑agreement (SLA) breaches may arise, exposing you to contractual penalties and reputational damage.
- Federal agencies must remediate by 19 June 2026; non‑compliant suppliers could be deemed high‑risk in supply‑chain assessments.
Recommended Actions –
- Verify Serv‑U version across all third‑party and internal deployments.
- Deploy the SolarWinds Serv‑U 15.5.4 HF1 (or later) patch immediately.
- If patching cannot be completed, enable the mitigation controls documented in the SolarWinds Trust Center (e.g., request size limits, header validation).
- Update your asset inventory and risk registers to flag any vendor still running vulnerable versions.
- Conduct network monitoring for anomalous POST requests with
Content‑Encoding: deflate.