Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-28318 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-28318 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-28318 is an uncontrolled resource consumption vulnerability in SolarWinds Serv-U, a widely deployed managed file transfer and FTP server product, that allows unauthenticated remote attackers to crash the service via a specially crafted HTTP POST request.

Technical Detail

The flaw exists in how SolarWinds Serv-U processes HTTP POST requests that include the Content-Encoding: deflate header. An unauthenticated attacker can send a specially crafted request that causes the Serv-U service to consume uncontrolled resources and crash, resulting in a denial of service condition. No authentication or prior access is required to trigger the crash, making this trivially exploitable against any network-accessible Serv-U instance.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on June 5, 2026. The exploit maturity is rated Operational, meaning functional exploit code exists and is being used in real-world attacks, not merely as a proof of concept. Organizations running exposed Serv-U instances should treat this as actively targeted.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability based on currently available data.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog binding directive (BOD 22-01), federal agencies are required to apply vendor-provided patches or mitigations by the deadline specified in the KEV catalog entry for June 5, 2026. All organizations running SolarWinds Serv-U should apply the latest available patch from SolarWinds immediately. As an interim workaround, restrict network access to the Serv-U management and file transfer interfaces using firewall rules or network segmentation to limit exposure to trusted IP ranges only. Detection teams should monitor for anomalous POST requests containing Content-Encoding: deflate headers directed at Serv-U endpoints, as well as unexpected Serv-U service crashes or restarts, which may indicate active exploitation attempts.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →