CVE-2026-28318 PUBLISHED

SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability

Assigner: SolarWinds
Reserved: 26.02.2026 Published: 04.06.2026 Updated: 04.06.2026

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SolarWinds
Product	Serv-U
Versions	Default: unaffected Version 15.5.4 and previous versions is affected

Workarounds

Block any POST requests containing 'Content-Encoding: deflate'. This function is not required for SolarWinds Serv-U.

Solutions

Upgrade to SolarWinds Serv-U 15.5.4 Hotfix 1. Use the mitigation steps until the upgrade is possible.

CVE-2026-28318 PUBLISHED

SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability

Metrics

Product Status

Workarounds

Solutions

References

Problem Types

Impacts