SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability (CVE-2026-28318)

Summary

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate.

MITIGATION STEPS: SolarWinds suggests adding the following controls to your web access firewall.

Limit access to known addresses when possible.
Block any post request containing “content-encoding” as this functionality is not required by the service.
See Table Below for examples. These were found using a web search, please check with your vendor if these do not work for your environment

Vendor	Example
Azure Front Door WAF	Custom rule: RequestHeader["content-encoding"] contains "deflate" and optionally RequestMethod == POST → Block
AWS WAF	ByteMatch on single header content-encoding containing deflate; optionally AND with method POST → Block
Cloudflare WAF	Expression: (http.request.headers["content-encoding"][*] contains "deflate" and http.request.method eq "POST")
F5 BIG-IP / Advanced WAF	LTM iRule or ASM policy: if header Content-Encoding contains deflate and method is POST, reject/drop
ModSecurity / CRS	SecRule REQUEST_METHOD "@streq POST" "id:100100,phase:1,deny,status:403,chain" + SecRule REQUEST_HEADERS:Content-Encoding "@contains deflate"
NGINX	if ($request_method = POST) { if ($http_content_encoding ~* deflate) { return 403; } }
Apache	RewriteCond %{REQUEST_METHOD} POST + RewriteCond %{HTTP:Content-Encoding} deflate [NC] + RewriteRule .* - [F]
HAProxy	acl is_post method POST + acl bad_ce req.hdr(Content-Encoding) -m sub -i deflate + http-request deny if is_post bad_ce
Imperva	Custom signature/policy: header Content-Encoding contains deflate; optionally method POST → Block
Akamai Kona/App & API Protector	Match request header Content-Encoding contains deflate; optionally constrain to POST → Deny
Fastly / VCL	In recv: if req.method == "POST" and req.http.Content-Encoding ~ "(?i)deflate" then error 403
Envoy	Route / Lua / WASM filter: deny when :method == POST and content-encoding contains deflate

Affected Products

SolarWinds Serv-U 15.5.4 and below

Fixed Software Release

SolarWinds Serv-U 15.5.4 HF1

Advisory Details

Severity

7.5 High

Advisory ID

CVE-2026-28318

First Published

06/03/2026

Fixed Version

SolarWinds Serv-U 15.5.4 HF1

CVSS Score

CVSS:7.5 /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Download PDF

Send an Email

Vendor	Example
Azure Front Door WAF	Custom rule: RequestHeader["content-encoding"] contains "deflate" and optionally RequestMethod == POST → Block
AWS WAF	ByteMatch on single header content-encoding containing deflate; optionally AND with method POST → Block
Cloudflare WAF	Expression: (http.request.headers["content-encoding"][*] contains "deflate" and http.request.method eq "POST")
F5 BIG-IP / Advanced WAF	LTM iRule or ASM policy: if header Content-Encoding contains deflate and method is POST, reject/drop
ModSecurity / CRS	SecRule REQUEST_METHOD "@streq POST" "id:100100,phase:1,deny,status:403,chain" + SecRule REQUEST_HEADERS:Content-Encoding "@contains deflate"
NGINX	if ($request_method = POST) { if ($http_content_encoding ~* deflate) { return 403; } }
Apache	RewriteCond %{REQUEST_METHOD} POST + RewriteCond %{HTTP:Content-Encoding} deflate [NC] + RewriteRule .* - [F]
HAProxy	acl is_post method POST + acl bad_ce req.hdr(Content-Encoding) -m sub -i deflate + http-request deny if is_post bad_ce
Imperva	Custom signature/policy: header Content-Encoding contains deflate; optionally method POST → Block
Akamai Kona/App & API Protector	Match request header Content-Encoding contains deflate; optionally constrain to POST → Deny
Fastly / VCL	In recv: if req.method == "POST" and req.http.Content-Encoding ~ "(?i)deflate" then error 403
Envoy	Route / Lua / WASM filter: deny when :method == POST and content-encoding contains deflate