CVE-2026-28318

Analyzed
Published: 04 Jun 2026, 14:05
Last modified:06 Jun 2026, 03:55

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
5.32% LOW
5% probability +5.26%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

04 Jun 2026, 14:05
Published
Vulnerability first disclosed
05 Jun 2026, 00:00
Added to CISA KEV
SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability
06 Jun 2026, 03:55
Last Modified
Vulnerability information updated
19 Jun 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 5.32% Percentile: 90%

Techniques & Countermeasures

  • CWE-400Uncontrolled Resource Consumption

    The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

  • solarwindsserv-u

    < 15.5.4 | 15.5.4 | 15.5.4 and previous versions

References (3)