CVE-2026-28318 Splunk · SPL

Detect SolarWinds Serv-U Uncontrolled Resource Consumption (CVE-2026-28318) in Splunk

Detects exploitation of CVE-2026-28318, an uncontrolled resource consumption vulnerability (CWE-400) in SolarWinds Serv-U. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to exhaust server resources, leading to denial of service conditions. Detection focuses on abnormal connection patterns, resource exhaustion indicators, and anomalous request volumes targeting Serv-U services.

MITRE ATT&CK

Tactic
Impact

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="solarwinds:servu" OR sourcetype="ftp" OR sourcetype="network" OR sourcetype="firewall")
| eval dest_port=coalesce(dest_port, dpt, DestinationPort)
| where dest_port IN (21, 22, 990, 989, 443, 80)
| bin _time span=5m
| stats count AS connection_count, dc(src_ip) AS distinct_src_ips, sum(bytes_out) AS total_bytes_out BY _time, dest, dest_port
| where connection_count > 500
| eval severity=case(connection_count > 2000, "critical", connection_count > 1000, "high", connection_count > 500, "medium", true(), "low")
| eval alert_title="CVE-2026-28318 Serv-U Resource Exhaustion Detected"
| table _time, dest, dest_port, connection_count, distinct_src_ips, total_bytes_out, severity, alert_title
| sort -connection_count
high severity medium confidence

Splunk SPL query detecting resource exhaustion patterns against SolarWinds Serv-U. Aggregates connection counts per 5-minute window and alerts on spikes exceeding 500 connections to Serv-U service ports.

Data Sources

SolarWinds Serv-U LogsFirewall LogsNetwork Flow DataWindows Event Logs

Required Sourcetypes

solarwinds:servuftpnetworkfirewall

False Positives & Tuning

  • High-volume legitimate file transfer operations from enterprise clients
  • Automated backup or synchronization tools generating bulk connections
  • Security scanning tools performing authorized vulnerability assessments
  • CDN or proxy servers aggregating many client connections through a single source

Other platforms for CVE-2026-28318

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated FTP Connection Flood to Serv-U (Linux)

    Expected signal: Network flow logs showing 600+ connection attempts from the test host to port 21 of the target within a short window; firewall logs recording SYN flood or connection rate spike; Serv-U application logs showing session limit errors or connection refused messages

  2. Test 2SFTP Connection Exhaustion via Python (Linux/macOS)

    Expected signal: Process telemetry showing python3 spawning ~600 concurrent TCP connections to port 22; network visibility tools showing elevated socket counts; target host showing increased memory/thread usage for ServUDaemon.exe

  3. Test 3FTPS Connection Exhaustion via hping3 (Linux)

    Expected signal: Network IDS/IPS alerts for SYN flood to port 990; firewall logs recording high packet rate from test source IP; Serv-U host showing elevated network interrupt handling load; Windows Performance Monitor showing ServUDaemon.exe handle/connection count spike

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-28318 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0040Impact

Related Techniques

T1499Endpoint Denial of ServiceT1499.002Service Exhaustion FloodT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections