A high-severity denial-of-service vulnerability in SolarWinds Serv-U, tracked as CVE-2026-28318, is now actively exploited in the wild, prompting CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog and mandate federal remediation within two weeks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2026-28318 to its KEV catalog on June 5, 2026, confirming active exploitation of the flaw in real-world attacks.
The vulnerability carries a CVSS v3.1 score of 7.5 (High) and is rooted in an Uncontrolled Resource Consumption weakness, classified under CWE-400.
What makes this flaw particularly dangerous is that it requires zero authentication, and an unauthenticated remote attacker with no privileges can trigger a full service crash with a single crafted HTTP request.
SolarWinds Serv-U is a widely deployed multi-protocol file server software used for FTP, FTPS, SFTP, and HTTPS file transfers on both Windows and Linux environments.
Its widespread internet-facing deployment in enterprise and government infrastructures makes this vulnerability a high-value target for threat actors seeking to disrupt business operations.
At its core, CVE-2026-28318 exploits how SolarWinds Serv-U handles compressed HTTP request bodies. An attacker sends a specially crafted HTTP POST request that includes the Content-Encoding: deflate header. When Serv-U processes this request, it fails to enforce proper limits on resource allocation limits, causing the service to consume excessive memory and CPU until the process crashes.
The attack primitive is deceptively simple:
POST /endpoint HTTP/1.1
Host: <target-serv-u-host>
Content-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
[Specially crafted deflate-encoded body]This attack vector is classified as low complexity and requires no user interaction, meaning it can be scripted and launched at scale against any internet-exposed Serv-U instance.
Unlike many DoS vulnerabilities that require sustained flooding, this flaw can be triggered by a single malformed packet, dramatically lowering the technical barrier to exploitation. The vulnerability affects all versions of SolarWinds Serv-U 15.5.4 and earlier.
CISA’s addition of CVE-2026-28318 to the KEV catalog is not merely advisory; it carries regulatory weight. Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are legally required to remediate this vulnerability by June 19, 2026.
The tight 14-day remediation window underscores the severity CISA attributes to this flaw and reflects the confirmed, active exploitation already occurring in production environments.
While it remains unknown whether CVE-2026-28318 has been directly leveraged in ransomware campaigns, CISA explicitly urges all organizations, not just federal entities, to treat this with immediate urgency.
The KEV listing itself serves as a strong threat intelligence signal: nation-state actors, ransomware affiliates, or opportunistic script kiddies are likely already scanning for vulnerable Serv-U instances across the internet.
Affected Versions
| Component | Affected Versions | Fixed Version |
|---|---|---|
| SolarWinds Serv-U (Windows) | 15.5.4 and earlier | 15.5.4 Hotfix 1 (HF1) |
| SolarWinds Serv-U (Linux) | 15.5.4 and earlier | 15.5.4 Hotfix 1 (HF1) |
SolarWinds released Serv-U 15.5.4 Hotfix 1 earlier this week, specifically addressing the CVE-2026-28318 denial-of-service vulnerability. Any organization running a prior version is considered fully exposed.
Mitigation
Security teams should act immediately. CISA and SolarWinds recommend the following prioritized actions:
- Apply Serv-U 15.5.4 HF1 — Download and install the hotfix from the official SolarWinds customer portal without delay
- Isolate internet-facing instances — Place Serv-U behind a firewall or VPN to limit external attack surface if patching cannot be done immediately
- Monitor HTTP logs — Detect exploitation attempts by filtering access logs for anomalous POST requests containing the
Content-Encoding: deflateheader targeting file transfer endpoints - Follow BOD 22-01 guidance — Federal agencies and cloud-hosted Serv-U deployments must align with applicable CISA binding directive requirements
- Decommission if unmitigatable — If patching or isolation is not feasible within the deadline, SolarWinds and CISA recommend discontinuing use of the product entirely
Organizations should also audit all Serv-U deployments across hybrid environments, including cloud-hosted instances on AWS, Azure, or GCP, ensuring no exposed endpoints remain unpatched.
While no specific threat actor attribution has been publicly disclosed as of this writing, defenders can implement the following detection logic:
- Log pattern: Unusual volume of HTTP POST requests to Serv-U endpoints with
Content-Encoding: deflatein headers - Behavioral indicator: Unexpected Serv-U process termination or service restart events
- Network indicator: Inbound POST traffic from unrecognized external IP ranges targeting Serv-U listening ports (default: 21, 22, 443, 8080)
- SIEM rule: Alert on
Content-Encoding: deflatecombined with non-standard request body size anomalies in Serv-U access logs
This is not SolarWinds’ first high-profile security incident in recent history. Earlier in 2026, SolarWinds patched four critical RCE vulnerabilities (CVE-2025-40538 through CVE-2025-40541, CVSS 9.1) in Serv-U 15.5.4 that could allow attackers to execute arbitrary code with root/SYSTEM privileges.
The ongoing cadence of critical vulnerabilities in Serv-U highlights the systemic risk of deploying internet-facing file transfer software without strict network segmentation and rapid patch management.
Frequently Asked Questions
Q1: What is CVE-2026-28318?It is a high-severity unauthenticated denial-of-service flaw (CVSS 7.5) in SolarWinds Serv-U that crashes the service via a crafted HTTP POST request using the Content-Encoding: deflate header.
Q2: Which versions of Serv-U are affected by CVE-2026-28318?All versions of SolarWinds Serv-U up to and including 15.5.4 on both Windows and Linux are vulnerable; the fix is available in Serv-U 15.5.4 Hotfix 1.
Q3: Is CVE-2026-28318 being actively exploited? Yes, CISA confirmed active exploitation in the wild and added it to the KEV catalog on June 5, 2026, with a federal remediation deadline of June 19, 2026.
Q4: Is this vulnerability linked to ransomware attacks? Ransomware campaign involvement is currently unknown, but CISA urges all organizations to patch immediately given the confirmed active exploitation and the zero-authentication attack vector.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
