SolarWinds Serv-U Vulnerability Under Active Exploitation, CISA Warns
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog after confirming that threat actors are actively exploiting a high-severity flaw in SolarWinds Serv-U, a widely used file transfer software for Windows and Linux. The vulnerability, classified as an uncontrolled resource consumption (CWE-400) issue, allows unauthenticated attackers to remotely crash Serv-U servers by sending a maliciously crafted HTTP POST request with a Content-Encoding: deflate header.
The exploit triggers a denial-of-service (DoS) condition, forcing the Serv-U service to exhaust system resources during decompression, leading to a crash without requiring user interaction or elevated privileges. While the flaw does not directly compromise confidentiality or integrity, its impact on availability can disrupt critical operations, including payroll processing, compliance workflows, partner data exchanges, and automated file transfers.
SolarWinds released Serv-U 15.5.4 Hotfix 1 to address the vulnerability, but all versions prior to 15.5.4 and even patched 15.5.4 instances without the hotfix remain vulnerable. Shodan data indicates over 12,000 Serv-U servers exposed online, with Shadowserver tracking approximately 3,100, though the number of unpatched systems is unclear.
CISA added CVE-2026-28318 to the KEV catalog on June 5, 2026, mandating federal agencies under Binding Operational Directive (BOD) 22-01 to remediate the flaw by June 19, 2026. While the directive applies only to federal entities, CISA urged private-sector organizations to prioritize patching, citing the vulnerability as a frequent attack vector for malicious actors.
Serv-U has been a persistent target for cybercriminals and nation-state groups. The Clop ransomware gang previously exploited CVE-2021-35211 (a remote code execution flaw) in 2021, while Chinese state-sponsored threat group DEV-0322 weaponized the same vulnerability in zero-day attacks. In June 2024, GreyNoise and Rapid7 reported active exploitation of CVE-2024-28995, a Serv-U path traversal bug. With 11 SolarWinds vulnerabilities now listed in CISA’s KEV catalog, the platform remains a prime target for both cybercrime and espionage operations.
Source: https://cyberpress.org/exploited-solarwinds-serv-u-vulnerability/
SolarWinds TPRM report: https://www.rankiteo.com/company/solarwinds
"id": "sol1780734225",
"linkid": "solarwinds",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using unpatched '
'Serv-U versions (over 12,000 '
'servers exposed online)',
'industry': 'Information Technology',
'location': 'United States',
'name': 'SolarWinds',
'type': 'Software vendor'}],
'attack_vector': 'Remote exploitation via HTTP POST request with malicious '
"'Content-Encoding: deflate' header",
'date_publicly_disclosed': '2026-06-05',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has added CVE-2026-28318 to its Known Exploited '
'Vulnerabilities (KEV) catalog after confirming active '
'exploitation of a high-severity flaw in SolarWinds Serv-U, a '
'widely used file transfer software. The vulnerability allows '
'unauthenticated attackers to remotely crash Serv-U servers '
'via a maliciously crafted HTTP POST request with a '
"'Content-Encoding: deflate' header, leading to a "
'denial-of-service (DoS) condition.',
'impact': {'downtime': 'Service crash leading to unavailability',
'operational_impact': ['Disruption of payroll processing',
'Disruption of compliance workflows',
'Disruption of partner data exchanges',
'Disruption of automated file transfers'],
'systems_affected': 'SolarWinds Serv-U servers (versions prior to '
'15.5.4 Hotfix 1)'},
'investigation_status': 'Ongoing',
'motivation': ['Disruption of operations', 'Espionage'],
'post_incident_analysis': {'corrective_actions': 'Patch deployment and '
'vulnerability remediation',
'root_causes': 'Uncontrolled resource consumption '
'vulnerability (CWE-400) in Serv-U '
'software'},
'recommendations': 'Prioritize patching for CVE-2026-28318, monitor for '
'exploitation attempts, and apply Serv-U 15.5.4 Hotfix 1.',
'references': [{'date_accessed': '2026-06-05',
'source': 'CISA Known Exploited Vulnerabilities Catalog'},
{'source': 'SolarWinds Security Advisory'},
{'source': 'Shodan'},
{'source': 'Shadowserver'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA Binding '
'Operational Directive '
'(BOD) 22-01 for '
'federal agencies'},
'response': {'communication_strategy': 'CISA advisory and KEV catalog '
'inclusion',
'containment_measures': 'Patch deployment (Serv-U 15.5.4 Hotfix '
'1)',
'remediation_measures': 'Apply Serv-U 15.5.4 Hotfix 1'},
'stakeholder_advisories': 'CISA advisory for federal agencies and '
'private-sector organizations',
'threat_actor': ['Cybercriminals', 'Nation-state groups'],
'title': 'SolarWinds Serv-U Vulnerability Under Active Exploitation '
'(CVE-2026-28318)',
'type': 'Denial-of-Service (DoS)',
'vulnerability_exploited': 'CVE-2026-28318 (Uncontrolled Resource '
'Consumption, CWE-400)'}