A Crash, Not a Shell SolarWinds Serv-U CVE-2026-28318

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serv-u-cve-2026-28318
• Blog Title: A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318
• Suggested Section: Network Services Pentesting -> 80,443 - Pentesting Web Methodology, or Pentesting Web -> HTTP/request parsing issues; optionally a SolarWinds Serv-U note under FTP/MFT services

🎯 Content Summary

A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318 analyzes an unauthenticated denial-of-service vulnerability in SolarWinds Serv-U 15.5.4 and earlier, affecting the Serv-U web interface, which is enabled by default. SolarWinds assigned CVSS 7.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, meaning exploitation is remote, unauthenticated, low complexity, requires no user interaction, and only impacts availability. The vulnerability was disclosed by SolarW...

🔧 Technical Details

Header-gated decompression DoS: if a server only rejects unsupported request encodings under a secondary configuration condition, such as only when HTTP compression is disabled, default deployments may accidentally skip the rejection logic. An attacker can then send a request with a body and a dangerous encoding header, for example Content-Encoding: deflate, causing the body to be processed by unsafe decompression code. If that decompressor contains invalid buffer lifecycle handling, it may call free() on an invalid or unintended pointer and crash when the allocator detects heap corruption.

Minimal unauthenticated crash trigger: when a vulnerable parser/decompressor is reachable before authentication, the exploit can be reduced to a single request. For CVE-2026-28318, the required conditions are: HTTP POST, a non-empty body, and Content-Encoding: deflate. The body does not need to be valid compressed data, which...

🤖 Agent Actions

Done.

Updated:

• src/network-services-pentesting/pentesting-web/special-http-headers.md

Added:

• request-side Content-Encoding abuse as a pre-auth parser/decompressor attack surface
• minimal POST + non-empty body + Content-Encoding: deflate trigger pattern
• safe patch-differential detection using Content-Encoding: identity and 415 Unsupported Media Type
• references to the Bishop Fox blog, safe checker, and SolarWinds release notes

I chose this file because the reusable technique is about HTTP header/body processing, not Serv-U specifically, and the exact pattern was not already documented.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serv-u-cve-2026-28318

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 80,443 - Pentesting Web Methodology, or Pentesting Web -> HTTP/request parsing issues; optionally a SolarWinds Serv-U note under FTP/MFT services".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0