CVE-2026-28318
SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability
Published: Jun 4, 2026Updated: Jun 5, 2026 Sources: CVE List NVD
7.5CVSS
HIGHSolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update
EPSS Score
6.3%
Top 8.9%
CISA KEV
Active Exploitation
Since Jun 5, 2026
Exploits
No Known Exploits
Remediation
Patch Available
CVSS Vector Breakdown
Exploitability
AV:NAttack VectorNetwork
AC:LAttack ComplexityLow
PR:NPrivileges RequiredNone
UI:NUser InteractionNone
Scope
S:UScopeUnchanged
Impact
C:NConfidentialityNone
I:NIntegrityNone
A:HAvailabilityHigh
Weaknesses
Affected Products
Attack Graph
Products CVE Techniques Tactics
Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.
Exploitability
CISA Known Exploited Vulnerability
Added to KEV:Jun 5, 2026
Remediation due:Jun 19, 2026
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Official Patch Available
Workaround Available
MITRE ATT&CK
1 technique Impact
References
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4-hotfix-1_release_notes.htm
documentation.solarwinds.com
https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28318
solarwinds.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-28318
cisa.gov
Timeline
Published
Jun 4, 2026
Added to CISA KEV
Jun 5, 2026
Last Updated
Jun 5, 2026
News mentions
7- 8th June – Threat Intelligence Reporten-us·Check Point Research·
- ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and Moreen·The Hacker News· Summary only·
- SolarWinds Serv-U Vulnerability Exploited in the Wilden-us·SecurityWeek· Summary only·
- Weekly Threat Intelligence: June 1 to June 7, 2026en-us·Daily CyberSecurity (securityonline.info)· Summary only·
- CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalogen·The Hacker News· Summary only·
- CISA Warns of Actively Exploited SolarWinds Serv-U Flawen-us·Daily CyberSecurity (securityonline.info)· Summary only·
- CISA: Hackers now exploit SolarWinds Serv-U flaw to crash serversen-us·BleepingComputer· Summary only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-28318 and every CVE in our database. Create a free account — no credit card required.
Create Free AccountPlain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows