The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed SolarWinds Serv-U vulnerability tracked as CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows unauthenticated remote attackers to crash the Serv-U file transfer service using a single specially crafted HTTP request, and threat actors are already exploiting it in the wild.
What Is CVE-2026-28318?
CVE-2026-28318 is classified as an Uncontrolled Resource Consumption flaw (CWE-400) in SolarWinds Serv-U file transfer software. The vulnerability resides in how Serv-U processes incoming HTTP requests: an attacker can send a malicious POST request using the Content-Encoding: deflate HTTP header, forcing the service to consume excessive memory or CPU resources until it crashes. The attack requires no authentication and is remotely exploitable from the internet, making it a trivial target for automated scanners.
Active Exploitation and CISA Response
CISA added CVE-2026-28318 to the KEV catalog on June 5, 2026, with a remediation deadline of June 19, 2026 for all Federal Civilian Executive Branch agencies under Binding Operational Directive (BOD) 22-01. While direct ransomware linkage has not been confirmed, CISA’s KEV designation indicates verified real-world exploitation. Organizations with internet-facing Serv-U instances should treat this as a critical emergency regardless of sector.
Business Impact of MFT Availability Attacks
SolarWinds Serv-U is widely deployed across government agencies, financial institutions, healthcare organizations, and enterprises as a managed file transfer (MFT) and SFTP solution. A denial-of-service attack against MFT infrastructure carries serious operational consequences:
- Disruption of critical workflows including payroll, invoicing, and regulatory reporting
- Denial of service to business partners and customers depending on the platform
- Potential use as a smokescreen for concurrent data exfiltration or lateral movement
- Regulatory and contractual exposure if file transfer service-level agreements are violated
Patch Details
SolarWinds has released a fix in Serv-U version 15.5.4 Hotfix 1. All prior versions are considered vulnerable. The advisory is available through the SolarWinds Trust Center, and the NVD entry for CVE-2026-28318 provides additional technical details.
Mitigation Steps
- Apply Serv-U 15.5.4 Hotfix 1 immediately across all production instances.
- Restrict internet exposure by placing Serv-U behind a firewall, reverse proxy, or VPN.
- Monitor HTTP logs for POST requests with
Content-Encoding: deflateheaders. - Suspend unpatched instances if they are directly internet-accessible and patching is delayed.
- Segment the network to contain any service crash or follow-on compromise.
MFT Platforms: A Persistent High-Value Target
SolarWinds has faced sustained security scrutiny since the 2020 supply chain compromise. Managed file transfer platforms broadly have become recurring targets for nation-state actors and ransomware groups, with catastrophic exploitation of MOVEit, GoAnywhere, and Citrix ShareFile in recent years causing large-scale data breaches at hundreds of organizations.
CVE-2026-28318 reinforces that even denial-of-service vulnerabilities in MFT software carry severe risk. Continuous patching cadences for these critical systems are non-negotiable.
Source: Cyber Security News | CISA KEV Catalog | SolarWinds Trust Center