What is the CVSS score of EUVD-2026-34268?

EUVD-2026-34268 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of SolarWinds Serv-U are affected by EUVD-2026-34268?

SolarWinds Serv-U is vulnerable to remote denial-of-service attacks from unauthenticated users (CVE-2026-28318, CVSS 7.5), allowing attackers to crash the service and disrupt file transfer operations…

Is there a public PoC exploit available for EUVD-2026-34268?

Yes, a public proof-of-concept exploit is available for EUVD-2026-34268. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2026-34268?

Within 24 hours: inventory all SolarWinds Serv-U deployments and assess network exposure; restrict inbound access to Serv-U to authorized IP ranges only. Within 7 days: deploy WAF or network filtering rules to block POST requests with Content-Encoding: deflate header; enable request size limits and rate limiting; implement monitoring alerts for abnormal POST traffic and Serv-U service restarts. Within 30 days: monitor SolarWinds security advisories for patch release; establish criteria for alternative file transfer solutions if patch availability extends beyond risk tolerance.

SolarWinds Serv-U EUVD-2026-34268

| CVE-2026-28318 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-06-04 SolarWinds

GHSA-4vx4-vp54-mwmc

Denial Of Service Serv U

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Added to CISA KEV

Jun 05, 2026 - 18:01 CISA

Analysis Generated

Jun 04, 2026 - 14:51 vuln.today

DescriptionCVE.org

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update

Articles & Coverage 1

POC CVE-2026-28318: Unauthenticated DoS in SolarWinds Serv-U via Malformed Deflate POST Requests (CVSS 7.5) Jun 06, 2026

AnalysisAI

Remote denial-of-service in SolarWinds Serv-U allows unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests using Content-Encoding: deflate. The flaw carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and maps to CWE-400 (uncontrolled resource consumption), affecting service availability without compromising confidentiality or integrity; no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed Serv-U HTTP listener

Delivery

Craft POST with Content-Encoding: deflate

Exploit

Send malformed deflate body

Execution

Trigger uncontrolled resource consumption

Persist

Serv-U service crashes

Impact

Repeat to sustain outage

Access

Identify exposed Serv-U HTTP listener

Delivery

Craft POST with Content-Encoding: deflate

Exploit

Send malformed deflate body

Execution

Trigger uncontrolled resource consumption

Persist

Serv-U service crashes

Impact

Repeat to sustain outage

Vulnerability AssessmentAI

Exploitation	The target Serv-U instance must expose its HTTP or HTTPS interface to the attacker's network path and be running a Serv-U version prior to 15.5.4 Hotfix 1; the attacker must be able to send a POST request carrying the Content-Encoding: deflate header to that interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are moderate and consistent: the CVSS 7.5 reflects network-reachable, low-complexity, no-privileges, no-user-interaction exploitation with high availability impact (C:N/I:N/A:H), and CWE-400 makes a crash trivial to trigger once the payload is known. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker on the internet sends a single crafted HTTP POST with a Content-Encoding: deflate header and a malformed or oversized compressed body to an exposed Serv-U HTTP/HTTPS listener, causing the Serv-U service process to crash and interrupting all in-flight file transfers and management sessions. Because no authentication or user interaction is required, the request can be scripted and repeated to keep the service offline whenever it restarts; no public exploit is identified at time of analysis, but the trigger is described in plain text in the advisory.
Remediation	Vendor-released patch: Serv-U 15.5.4 Hotfix 1 - upgrade affected Serv-U installations to this release per the vendor advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28318 and release notes at https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4-hotfix-1_release_notes.htm. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all SolarWinds Serv-U deployments and assess network exposure; restrict inbound access to Serv-U to authorized IP ranges only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-34268 vulnerability details – vuln.today

Back

SolarWinds Serv-U EUVD-2026-34268

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code