SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without…

CVE-2026-28318 is an unauthenticated denial-of-service issue in SolarWinds Serv-U where a specially crafted HTTP POST request using a malformed or abusive Content-Encoding path can crash the Serv-U service. Based on the vendor title and CVSS, the impact is availability loss rather than code execution or data theft. Publicly indexed sources at assessment time did not expose a complete vendor advisory page or fixed-version statement for this exact CVE, so the precise affected build range is still incomplete; operationally, defenders should assume exposed Serv-U HTTP/HTTPS endpoints on supported branches are in scope until SolarWinds says otherwise.

The vendor's HIGH 7.5 rating is broadly fair. The strongest real-world amplifier is that Serv-U is commonly deployed as an external file-transfer gateway, so an unauthenticated network bug can be reached from the internet. The strongest downward pressure is that this is *only* a crash path: no confidentiality or integrity loss is claimed, and many deployments will auto-restart the service or place it behind a reverse proxy that limits repeat abuse. That keeps this out of CRITICAL, but it is still more urgent than backlog hygiene.

Why this verdict

• Unauthenticated remote reachability: PR:N and UI:N matter here; if your Serv-U web endpoint is internet-facing, this is pre-auth and directly reachable from outside.
• Common exposure pattern: Serv-U is a managed file transfer product, and those are routinely published externally for partner workflows; that keeps the vendor baseline mostly honest instead of theoretical.
• Availability-only impact pulls down: the chain ends in service crash, not code execution, credential theft, or data exposure, so I trimmed the score below the vendor's 7.5.
• Web-path requirement narrows population: this appears tied to crafted HTTP POST handling, which is less universal than 'any network protocol on Serv-U' and excludes some FTP/SFTP-only deployments.
• Modern controls can break the loop: reverse proxies, WAF normalization, IP allowlists, and service auto-restart materially reduce dwell and repeatability even when the core bug exists.

Why not higher?

This is not a host-compromise primitive. There is no evidence in the reviewed material of confidentiality or integrity impact, and no sign that successful exploitation crosses the boundary from *service outage* to *system takeover*. Also, real deployments frequently have recovery controls that turn a crash into a short interruption rather than a prolonged incident.

Why not lower?

The bug is still unauthenticated, remotely reachable, and low complexity on a product that organizations often place at the internet edge. Even without code execution, knocking over a transfer gateway can interrupt customer deliveries, EDI, legal transfers, and nightly automated jobs; that is too operationally relevant for MEDIUM backlog treatment.

1. Restrict web exposure — Place Serv-U HTTP/HTTPS behind IP allowlists, VPN, or partner-specific ACLs wherever possible. This directly removes the unauthenticated attacker position that drives the HIGH verdict; deploy within 30 days if you cannot patch immediately.
2. Enforce proxy request normalization — Terminate HTTP(S) on a reverse proxy or WAF that rejects malformed or unexpected Content-Encoding and oversized POST bodies before they hit Serv-U. For a HIGH verdict, deploy within 30 days as the most practical temporary shield.
3. Turn on service recovery and health alerting — Configure automatic restart and alert on Serv-U service exits, crash loops, and 5xx spikes so a single crash does not become a silent overnight outage. This reduces operational blast radius and should be in place within 30 days.
4. Rate-limit abusive POST traffic — Apply per-source rate limits and connection thresholds on the fronting proxy or firewall for the Serv-U web path. Repeated crash attempts usually need request replay; limiting cadence raises attacker cost and should be deployed within 30 days.
5. Segment the transfer tier — Keep Serv-U in a tightly controlled DMZ or published-service segment so an outage stays isolated to the transfer service and does not cascade into adjacent systems. This is standard hardening for MFT and should be completed within 30 days for exposed instances.

Run this on the Serv-U host itself or from your software inventory collector with local filesystem access. Invoke it as python servu_check.py --fixed-version 15.5.5 once SolarWinds publishes the patched build; without --fixed-version, the script reports the discovered version and returns UNKNOWN. No admin rights are usually needed for version discovery, but elevated rights may help on locked-down Windows servers.

#!/usr/bin/env python3
# servu_check.py
# Detect SolarWinds Serv-U version on Windows/Linux and compare to a known fixed version.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=ERROR

import argparse
import os
import platform
import re
import subprocess
import sys
from pathlib import Path

WINDOWS_PATHS = [
    Path(r"C:\Program Files\RhinoSoft\Serv-U\ServUDaemon.exe"),
    Path(r"C:\Program Files\SolarWinds\Serv-U\ServUDaemon.exe"),
    Path(r"C:\Program Files (x86)\RhinoSoft\Serv-U\ServUDaemon.exe"),
    Path(r"C:\Program Files (x86)\SolarWinds\Serv-U\ServUDaemon.exe"),
]

LINUX_PATHS = [
    Path("/usr/local/Serv-U/ServUDaemon"),
    Path("/opt/Serv-U/ServUDaemon"),
    Path("/usr/local/Serv-U/Serv-U"),
    Path("/opt/Serv-U/Serv-U"),
]


def normalize(ver):
    if not ver:
        return None
    nums = re.findall(r"\d+", ver)
    return tuple(int(x) for x in nums)


def compare_versions(a, b):
    # returns -1 if a<b, 0 if a==b, 1 if a>b
    aa = list(a)
    bb = list(b)
    length = max(len(aa), len(bb))
    aa.extend([0] * (length - len(aa)))
    bb.extend([0] * (length - len(bb)))
    if aa < bb:
        return -1
    if aa > bb:
        return 1
    return 0


def get_windows_file_version(path):
    ps = rf"""
$path = '{str(path).replace("'", "''")}'
if (Test-Path $path) {{
  (Get-Item $path).VersionInfo.ProductVersion
}}
"""
    try:
        out = subprocess.check_output([
            "powershell",
            "-NoProfile",
            "-NonInteractive",
            "-Command",
            ps,
        ], stderr=subprocess.DEVNULL, text=True, timeout=15)
        ver = out.strip()
        return ver or None
    except Exception:
        return None


def get_linux_binary_version(path):
    for args in ([str(path), "--version"], [str(path), "-version"], [str(path), "-v"]):
        try:
            out = subprocess.check_output(args, stderr=subprocess.STDOUT, text=True, timeout=10)
            m = re.search(r"(\d+\.\d+(?:\.\d+){0,3})", out)
            if m:
                return m.group(1)
        except Exception:
            pass
    return None


def find_servu():
    system = platform.system().lower()
    candidates = WINDOWS_PATHS if system == "windows" else LINUX_PATHS
    for p in candidates:
        if p.exists():
            return p
    return None


def detect_version(path):
    if not path:
        return None
    system = platform.system().lower()
    if system == "windows":
        return get_windows_file_version(path)
    return get_linux_binary_version(path)


def main():
    parser = argparse.ArgumentParser(description="Check SolarWinds Serv-U version against a fixed version")
    parser.add_argument("--fixed-version", help="Known fixed version from SolarWinds advisory, e.g. 15.5.5")
    args = parser.parse_args()

    path = find_servu()
    if not path:
        print("UNKNOWN - Serv-U binary not found in standard paths")
        sys.exit(2)

    ver = detect_version(path)
    if not ver:
        print(f"UNKNOWN - Serv-U found at {path} but version could not be determined")
        sys.exit(2)

    fixed = normalize(args.fixed_version) if args.fixed_version else None
    cur = normalize(ver)
    if not cur:
        print(f"UNKNOWN - discovered version string '{ver}' is not parseable")
        sys.exit(2)

    if not fixed:
        print(f"UNKNOWN - discovered Serv-U version {ver} at {path}; supply --fixed-version from SolarWinds advisory")
        sys.exit(2)

    cmp_result = compare_versions(cur, fixed)
    if cmp_result < 0:
        print(f"VULNERABLE - installed Serv-U {ver} is older than fixed version {args.fixed_version}")
        sys.exit(1)
    else:
        print(f"PATCHED - installed Serv-U {ver} is at or newer than fixed version {args.fixed_version}")
        sys.exit(0)


if __name__ == "__main__":
    try:
        main()
    except Exception as e:
        print(f"UNKNOWN - error: {e}")
        sys.exit(3)

Sources

1. SolarWinds Serv-U documentation
2. SolarWinds Serv-U 15.5.4 release notes
3. SolarWinds Serv-U 15.5.4 system requirements
4. SolarWinds Serv-U Gateway documentation
5. CISA Known Exploited Vulnerabilities catalog
6. FIRST EPSS API documentation
7. BleepingComputer Serv-U exposure context
8. Censys advisory for prior internet-exposed Serv-U hunting context