CVE-2026-28318

SolarWinds Serv-U Uncontrolled Resource Consumption (CVE-2026-28318)

Impact Last updated:

Detects exploitation of CVE-2026-28318, an uncontrolled resource consumption vulnerability (CWE-400) in SolarWinds Serv-U. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to exhaust server resources, leading to denial of service conditions. Detection focuses on abnormal connection patterns, resource exhaustion indicators, and anomalous request volumes targeting Serv-U services.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
SolarWinds
Product
Serv-U

Weakness (CWE)

CWE-400

Timeline

Disclosed
June 5, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-28318 SolarWinds Serv-U Uncontrolled Resource Consumption (CVE-2026-28318)?

SolarWinds Serv-U Uncontrolled Resource Consumption (CVE-2026-28318) (CVE-2026-28318) maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data in MITRE ATT&CK.

This page provides production-ready detection logic for SolarWinds Serv-U Uncontrolled Resource Consumption (CVE-2026-28318), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Sentinel, Network Security Groups, Firewall Logs. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Impact
Microsoft Sentinel / Defender
kusto 
let threshold_connections = 500;
let threshold_window = 5m;
let servu_ports = dynamic([21, 22, 990, 989, 443, 80]);
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated >= ago(1h)
| where (
    (Type == "DeviceNetworkEvents" and (RemotePort in (servu_ports) or LocalPort in (servu_ports)))
    or (Type == "CommonSecurityLog" and DeviceProduct has_any ("Serv-U", "ServU"))
  )
| summarize ConnectionCount = count(), DistinctRemoteIPs = dcount(RemoteIP), BytesSent = sum(SentBytes), BytesReceived = sum(ReceivedBytes) by bin(TimeGenerated, threshold_window), DeviceName, LocalPort
| where ConnectionCount > threshold_connections
| extend Severity = case(ConnectionCount > 2000, "Critical", ConnectionCount > 1000, "High", "Medium")
| project TimeGenerated, DeviceName, LocalPort, ConnectionCount, DistinctRemoteIPs, BytesSent, BytesReceived, Severity
| order by ConnectionCount desc

Detects abnormal connection volume to SolarWinds Serv-U ports indicative of resource exhaustion exploitation. Monitors DeviceNetworkEvents and CommonSecurityLog for connection spikes exceeding threshold within rolling 5-minute windows.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Azure Sentinel Network Security Groups Firewall Logs

Required Tables

DeviceNetworkEvents CommonSecurityLog

False Positives

  • Legitimate bulk file transfer operations from authorized clients causing high connection counts
  • Scheduled backup jobs that open many simultaneous FTP/SFTP connections
  • Load testing or capacity planning activities performed by IT teams
  • Network scanners or vulnerability assessment tools run by security teams

Sigma rule & cross-platform mapping

The detection logic for SolarWinds Serv-U Uncontrolled Resource Consumption (CVE-2026-28318) (CVE-2026-28318) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-28318 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-28318

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated FTP Connection Flood to Serv-U (Linux)

    Expected signal: Network flow logs showing 600+ connection attempts from the test host to port 21 of the target within a short window; firewall logs recording SYN flood or connection rate spike; Serv-U application logs showing session limit errors or connection refused messages

  2. Test 2SFTP Connection Exhaustion via Python (Linux/macOS)

    Expected signal: Process telemetry showing python3 spawning ~600 concurrent TCP connections to port 22; network visibility tools showing elevated socket counts; target host showing increased memory/thread usage for ServUDaemon.exe

  3. Test 3FTPS Connection Exhaustion via hping3 (Linux)

    Expected signal: Network IDS/IPS alerts for SYN flood to port 990; firewall logs recording high packet rate from test source IP; Serv-U host showing elevated network interrupt handling load; Windows Performance Monitor showing ServUDaemon.exe handle/connection count spike

Unlock Pro Content

Get the full detection package for CVE-2026-28318 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0040Impact

Related Techniques

T1499Endpoint Denial of ServiceT1499.002Service Exhaustion FloodT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections