CVE-2026-28318 – SolarWinds Serv-U

CVSS 7.5 IMPORTANT Critical or Zero Day – Immediate Deployment

“A simple network request should never be able to take down a critical file transfer service.”

SolarWinds patched CVE-2026-28318 in Serv-U. This vulnerability allows an unauthenticated attacker to send specially crafted POST requests using Content-Encoding: deflate that can crash the Serv-U service, resulting in a denial-of-service condition. The CVSS score is 7.5, which is High severity.

This issue does not require authentication or user interaction to exploit. Active exploitation has been reported. SolarWinds has provided mitigation guidance for customers who cannot immediately deploy the update.

Key Details

Affected Product
Solarwinds Serv-u
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-400
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.