Exploit for Uncontrolled Resource Consumption in Solarwinds Serv-U CVE-2026-28318

Name: Exploit for Uncontrolled Resource Consumption in Solarwinds Serv-U CVE-2026-28318
Rating: 5 (4 reviews)
2026-06-12 | CVSS 7.5
## https://sploitus.com/exploit?id=3F8B37D2-6288-5724-B73B-D65A8373E501
# SolarWinds Serv-U Unauthenticated DoS: Safe Detection Script

A safe, **non-destructive** detector for **CVE-2026-28318**, an unauthenticated
denial-of-service in **SolarWinds Serv-U `= 15.5.4.125`. Not vulnerable. |
| Responded, but no `Serv-U` Server header | `NOT-SERV-U` `[not-servu]` | Not a Serv-U server, or a proxy stripped the header. |
| No usable response / connection failure | `ERROR` `[no-response]` | No HTTP service reachable, filtered, TLS error, or timeout. |

The target is fingerprinted as Serv-U from the probe response's own `Server` header, so
no separate identification request is needed.

> **It proves the fix is missing; it does not crash the service to confirm.**
> A `VULNERABLE` verdict means the HF1 input-validation gate is absent, which is an exact
> proxy for this CVE. The script deliberately stops there rather than sending the
> crashing `deflate` value.

## Requirements

- Python 3.7+, standard library only, with no third-party packages.

## Usage

```bash
# single host (scheme defaults to https://)
./cve_2026_28318_check.py 10.0.0.5

# explicit URL / port
./cve_2026_28318_check.py https://10.0.0.5:443

# several hosts at once
./cve_2026_28318_check.py host-a:443 host-b https://host-c

# scan a list, one target per line ('#' comments allowed), compact output
./cve_2026_28318_check.py -f targets.txt --brief

# machine-readable output for pipelines
./cve_2026_28318_check.py -f targets.txt --json > results.json
```

### Options

| Flag | Description |
|---|---|
| `targets` | One or more `HOST[:PORT]` or URL (scheme defaults to `https://`) |
| `-t, --target TARGET` | Add a target (repeatable) |
| `-f, --file FILE` | Read targets from a file (one per line; `#` comments) |
| `-b, --brief` | Single aligned line per target, ideal for scanning many hosts |
| `--json` | Emit structured JSON results |
| `--no-color` | Disable coloured output (also honours `NO_COLOR` and non-TTY) |
| `--timeout SECS` | Per-probe timeout (default: 10) |
| `-v, --verbose` | Show the probe sent and the raw response headers |

### Examples

**A vulnerable Serv-U server** (the `[!]` marker and `VULNERABLE` render red on a TTY):

```console
$ ./cve_2026_28318_check.py https://10.0.0.5
[!] https://10.0.0.5: VULNERABLE  [missing-415-gate]
      Serv-U returned 401 (not 415) to the identity probe, so the HF1 415 gate is ABSENT (build = 15.5.4.125). Not vulnerable to CVE-2026-28318.
```

**Scan a list, one aligned line per host** (`--brief`). Exit status is `1` if any host is
`VULNERABLE`, else `0`, which is handy in scripts:

```console
$ ./cve_2026_28318_check.py -f targets.txt --brief; echo "exit: $?"
VULNERABLE  https://10.0.0.5                 missing-415-gate
PATCHED     https://10.0.0.6                 hf1-415-gate
NOT-SERV-U  https://10.0.0.7                 not-servu
ERROR       https://10.0.0.8                 no-response
exit: 1
```

**Machine-readable output for pipelines** (`--json`):

```console
$ ./cve_2026_28318_check.py https://10.0.0.5 --json
[
  {
    "target": "https://10.0.0.5",
    "verdict": "VULNERABLE",
    "reason": "missing-415-gate",
    "detail": "Serv-U returned 401 (not 415) to the identity probe, so the HF1 415 gate is ABSENT (build = 15.5.4.125`). |
| `NOT-SERV-U` | `not-servu` | Responded, but no `Serv-U` Server header; not Serv-U, or a proxy stripped it. |
| `ERROR` | `no-response` | No usable HTTP response (no service on that port, filtered, TLS error, or timeout). |
| `ERROR` | `bad-target` | The target argument could not be parsed. |

## Exit codes

| Code | Meaning |
|---|---|
| `0` | No target was `VULNERABLE` |
| `1` | At least one target is `VULNERABLE` |
| `2` | Usage error (bad arguments / unreadable targets file) |

## Limitations

- **Proxy / TLS termination.** A reverse proxy or load balancer in front of Serv-U can
  strip the `Server` header (reported as `NOT-SERV-U`) or answer with its own `415` (a
  possible false `PATCHED`). Point the tool directly at the Serv-U management interface
  where you can.
- **Not a crash test.** A `VULNERABLE` verdict proves the HF1 input-validation fix is
  absent; it does not demonstrate the crash (by design). That gate is an exact proxy for
  this CVE.
- **TLS is not verified.** Serv-U management interfaces are typically self-signed, so the
  script does not validate certificates. It confirms reachability and reads the status,
  nothing more.
- **Reachability only.** A result reflects what the server returns from the network
  position you run it from.

## Remediation

Upgrade to **SolarWinds Serv-U 15.5.4 Hotfix 1 (build `15.5.4.125`)** or later, which adds
the input-validation gate that rejects a request carrying both a body and a non-empty
`Content-Encoding`. Until you can patch, restrict network access to the Serv-U service to
trusted sources.

## License

This code is distributed under an [MIT license](LICENSE).

## Legal Disclaimer

Usage of this tool for attacking targets without prior mutual consent is illegal. It is
the end user's responsibility to obey all applicable local, state, and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by
this program.

## See Also

- [NVD: CVE-2026-28318](https://nvd.nist.gov/vuln/detail/CVE-2026-28318)
- [MITRE: CVE-2026-28318](https://vulners.com/cve/CVE-2026-28318)