Back to Intelligence

CVE-2026-28318: SolarWinds Serv-U DoS — Detection and Hardening Guide

SA
Security Arsenal Team
June 7, 2026
5 min read

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-28318, a high-severity denial-of-service (DoS) vulnerability impacting SolarWinds Serv-U, to its Known Exploited Vulnerabilities (KEV) catalog. This addition signals active exploitation in the wild, transforming a theoretical availability risk into an immediate operational threat.

For organizations relying on Serv-U for secure file transfers, this is not a drill. A successful exploit crashes the Serv-U service entirely, disrupting MFT (Managed File Transfer) workflows and potentially halting critical business operations that depend on FTP, SFTP, or HTTP file transfers. Given the active exploitation status, we recommend treating this with the same urgency as a remote code execution (RCE) flaw.

Technical Analysis

  • CVE Identifier: CVE-2026-28318
  • CVSS Score: 7.5 (High)
  • Affected Component: SolarWinds Serv-U Multi-Protocol File Server
  • Vulnerability Type: Denial-of-Service (DoS)
  • Impact: Service Crash / Unavailability

The Mechanics of the Flaw CVE-2026-28318 stems from improper input validation in the network request handling module of the Serv-U server. By sending a specially crafted sequence of packets—likely targeting the FTP or HTTP interface—an unauthenticated attacker can trigger a race condition or buffer overflow logic that forces the underlying Serv-U.exe process or daemon to terminate.

Unlike authentication bypasses, this DoS vector requires no credentials. If the Serv-U management interface or file transfer ports (21, 22, 80, 443) are exposed to the internet, the attack surface is significant. The crash is immediate and persistent, requiring manual service restart or intervention, though repeated exploitation creates a sustained outage.

Exploitation Status CISA's inclusion of CVE-2026-28318 in the KEV catalog is based on "evidence of active exploitation." This indicates that threat actors are already scanning for exposed Serv-U instances and deploying exploits to disrupt services. While the immediate impact is availability (service crash), defenders should also investigate whether DoS attempts are precursors to further reconnaissance or auxiliary attacks.

Detection & Response

Detecting DoS vulnerabilities often requires looking for the result of the attack (process termination) rather than the exploit packet itself, which may resemble normal traffic. However, rapid, repeated service crashes are a definitive indicator of an attack.

SIGMA Rules

YAML
---
title: SolarWinds Serv-U Service Unexpected Termination
id: 8a4b2c1d-9e6f-4a3b-8c7d-0e1f2a3b4c5d
status: experimental
description: Detects unexpected termination or crash of the SolarWinds Serv-U service on Windows.
references:
  - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.impact
  - attack.t1499
logsource:
  product: windows
  service: system
detection:
  selection:
    Message|contains|all:
      - 'Serv-U'
      - 'terminated unexpectedly'
      - 'faulting'
  condition: selection
falsepositives:
  - Legitimate service restarts by administrators
  - System instability unrelated to attack
level: high
---
title: SolarWinds Serv-U Linux Process Crash via Auditd
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects SEGFAULT or abnormal exit of the Serv-U daemon process on Linux systems.
references:
  - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.impact
  - attack.t1499
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'ANOM_ABEND'
    exe|contains: '/Serv-U'
  condition: selection
falsepositives:
  - Rare application bugs
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Serv-U service crashes or restarts
Syslog
| where SyslogMessage has "Serv-U"
| where SyslogMessage has_any ("crashed", "terminated", "stopped", "faulting application")
| project TimeGenerated, Computer, ProcessName, SyslogMessage, Facility
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recent Serv-U crash dumps or error logs indicating instability
SELECT FullPath, Mtime, Size
FROM glob(globs='C:\\Program Files\\SolarWinds\\Serv-U\\*.dmp')
WHERE Mtime > now() - 24H

UNION ALL

-- Check Linux logs for Serv-U segmentation faults
SELECT FullPath, Mtime
FROM glob(globs='/var/log/serv-u*.log')
WHERE Mtime > now() - 24H

Remediation Script (PowerShell)

PowerShell
# Check SolarWinds Serv-U Version and Status
Write-Host "[+] Checking SolarWinds Serv-U Installation..." -ForegroundColor Cyan

# Registry path for Serv-U
$regPath = "HKLM:\SOFTWARE\SolarWinds\Serv-U"
$installPath = (Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue).Path

if ($installPath) {
    Write-Host "[+] Serv-U installed at: $installPath" -ForegroundColor Green
    
    # Get file version of Serv-U.exe
    $exePath = Join-Path $installPath "Serv-U.exe"
    if (Test-Path $exePath) {
        $versionInfo = (Get-Item $exePath).VersionInfo
        $fileVersion = $versionInfo.FileVersion
        Write-Host "[+] Current File Version: $fileVersion" -ForegroundColor Yellow
        
        # Note: Replace '15.4.2' with the actual patched version from the vendor advisory
        $safeVersion = [version]"15.4.2" 
        $currentVersion = [version]$fileVersion

        if ($currentVersion -lt $safeVersion) {
            Write-Host "[!] ALERT: Version is vulnerable. Immediate update required." -ForegroundColor Red
            Write-Host "[+] Please apply the hotfix for CVE-2026-28318." -ForegroundColor Red
        } else {
            Write-Host "[+] Version appears patched based on known safe baseline." -ForegroundColor Green
        }
    }
} else {
    Write-Host "[-] Serv-U not found in registry." -ForegroundColor Gray
}

# Check Service Status
$serviceName = "Serv-U"
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if ($service) {
    Write-Host "[+] Service Status: $($service.Status)" -ForegroundColor Cyan
}

Remediation

  1. Patch Immediately: Apply the latest hotfix released by SolarWinds addressing CVE-2026-28318. This is the only permanent fix.
  2. CISA Deadline: Federal Civilian Executive Branch (FCEB) agencies must patch by July 9, 2026. Private sector organizations should aim to remediate immediately given the active exploitation status.
  3. Network Segmentation: If patching is delayed, restrict access to Serv-U ports (21, 22, 80, 443) solely to trusted management IP addresses or internal subnets. Do not expose the MFT interface directly to the public internet.
  4. Service Monitoring: Implement monitoring to alert immediately if the Serv-U service stops, as repeated stops are the primary Indication of Compromise (IoC) for this specific DoS attack.

References

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemsolarwindsserv-ucve-2026-28318

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action