CISA Flags SolarWinds Serv-U Flaw as Actively Exploited (CVE-2026-28318)

Over 12,000 SolarWinds Serv-U file transfer servers sit exposed to the internet. Attackers are already knocking them offline. CISA confirmed active exploitation of CVE-2026-28318 on June 5, 2026, adding the high-severity denial-of-service flaw to its Known Exploited Vulnerabilities catalog. Federal agencies now have until June 19 to remediate under Binding Operational Directive 22-01.

SolarWinds had actually released the fix a day earlier. On June 4, the company pushed Serv-U version 15.5.4 Hotfix 1 to address the bug. The narrow gap between patch release and CISA’s emergency catalog addition suggests exploitation was already underway when the update dropped.

How the Attack Works

The vulnerability is almost embarrassingly simple to trigger. CVE-2026-28318 carries a CVSS 3.1 score of 7.5 High and stems from an uncontrolled resource consumption weakness classified as CWE-400. An unauthenticated remote attacker sends a specially crafted POST request with a Content-Encoding: deflate header, and the Serv-U service crashes. No credentials. No user interaction. Just one malformed HTTP request and the file transfer service goes down.

“SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate,” the company said in its advisory. The application fails to properly limit the resources it allocates when processing incoming input, so a single malicious request can exhaust available memory or CPU and kill the service entirely.

Why Serv-U Keeps Getting Hit

This incident fits a troubling pattern. Serv-U has been a recurring target for ransomware operators, including the Cl0p gang, which exploited previous flaws to breach enterprise networks. The zero-authentication, zero-interaction nature of CVE-2026-28318 makes it an ideal initial-access vector. Attackers can probe exposed instances, crash services to create instability, and potentially pivot to deeper compromise when administrators investigate outages.

The exposure numbers are stark. Shodan tracks over 12,000 internet-facing Serv-U servers, while Shadowserver counts more than 3,100. Neither organization knows how many have been patched. The attack surface is broad, the exploit is trivial, and the threat actors are already active.

Any organization running SolarWinds Serv-U on Windows or Linux prior to version 15.5.4 Hotfix 1 is vulnerable. This includes enterprises using Serv-U for Managed File Transfer, FTP, FTPS, and SFTP services. Federal agencies face mandatory remediation by June 19, 2026.

Immediate Steps for Defenders

Administrators should upgrade to 15.5.4 Hotfix 1 immediately. Organizations that cannot patch right away should limit Serv-U access to known, trusted IP addresses and block POST requests containing the content-encoding header at the WAF or network edge. The vulnerable service does not require this functionality, so the block carries no operational cost. Security teams should also monitor logs for unauthorized POST requests using Content-Encoding: deflate as potential exploitation indicators.

The two-week federal deadline signals how seriously CISA views this threat. For the rest of us, the message is equally urgent. Patch now, or become the next outage statistic.

Sources

1. https://www.cisa.gov/news-events/alerts/2026/06/05/cisa-adds-one-known-exploited-vulnerability-catalog
2. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-28318
3. https://www.cisa.gov/binding-operational-directive-22-01