SolarWinds Serv-U and Web Help Desk Denial of Service (CVE-2026-28318, CVE-2026-28299): Unauthenticated Service Crash via Crafted Requests

June 4, 2026

SolarWinds Serv-U and Web Help Desk Denial of Service (CVE-2026-28318, CVE-2026-28299): Unauthenticated Service Crash via Crafted Requests

June 4, 2026 by nick

Two denial-of-service vulnerabilities have been disclosed in SolarWinds products, tracked as CVE-2026-28318 and CVE-2026-28299. Both allow unauthenticated attackers to crash services through specially crafted requests.

What Are the Vulnerabilities?

CVE-2026-28318: SolarWinds Serv-U is susceptible to specially crafted POST requests using Content-Encoding: deflate that crash the Serv-U service without authentication.

CVE-2026-28299: SolarWinds Web Help Desk is affected by a denial-of-service vulnerability that can crash the server due to insufficient memory handling.

What Is the Fix?

Apply the SolarWinds mitigations and updates for both products as detailed in the vendor advisories.

References

This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.

I would love to connect:

Nick has over 15 years of experience in the cybersecurity and IT field. Nick has implemented threat modeling and security by design at many enterprise-sized organizations, with a focus on IT applications, IT infrastructure, and business processes.

Try our threat modeling tool and start threat modeling in minutes!

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

SolarWinds Serv-U and Web Help Desk Denial of Service (CVE-2026-28318, CVE-2026-28299): Unauthenticated Service Crash via Crafted Requests

What Are the Vulnerabilities?

What Is the Fix?

References

Threat Modeling and Security by Design

Connect with me

Thanks for signing up!