CVE-2026-28318 is a denial-of-service vulnerability in SolarWinds Serv-U that can be triggered by unauthenticated attackers sending specially crafted POST requests with a 'Content-Encoding: deflate' header, causing the Serv-U service to crash. SolarWinds released Serv-U 15.5.4 Hotfix 1 to address this issue, preventing the crash condition. The vulnerability affects versions prior to 15.5.4 Hotfix 1, including some end-of-life versions. CISA has included this vulnerability in its Known Exploited Vulnerabilities catalog and mandated patching for federal agencies. The vendor provides detailed installation and rollback instructions for the hotfix. The vulnerability's CVSS score is 7.5, indicating a medium severity level.

Successful exploitation results in a denial-of-service condition by crashing the Serv-U service, disrupting file transfer operations. No authentication is required to exploit the vulnerability. There is no evidence of privilege escalation, data compromise, or remote code execution. The impact is limited to service availability degradation. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog, indicating active threat awareness, though no confirmed zero-day exploitation details are publicly available.

SolarWinds has released Serv-U 15.5.4 Hotfix 1 to fix this vulnerability. All users, including those who recently upgraded to Serv-U 15.5.4, should apply this hotfix immediately. Users running end-of-life versions (15.4.2, 15.5, 15.5.1) are advised to upgrade to a supported release as soon as possible. CISA mandates federal agencies to patch by June 19, 2026. The vendor advisory includes detailed instructions for installing and removing the hotfix if necessary. Organizations should follow SolarWinds' official guidance to remediate this issue promptly.