CISA: Patch actively exploited SolarWinds Serv-U DoS vulnerability (CVE-2026-28318)

A vulnerability (CVE-2026-28318) that can be exploited to crash SolarWinds Serv-U file transfer servers is being leveraged by attackers in the wild, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Friday.

The agency has ordered US federal civilian agencies to address it by June 19, 2026, either by implementing a patch or implementing mitigations.

About CVE-2026-28318

CVE-2026-28318 is an uncontrolled resource consumption vulnerability that can be triggered by remote, unauthenticated attackers.

The flaw resides in how the Serv-U service handles HTTP POST requests that include the Content-Encoding: deflate header. By sending thusly crafted request, an attacker can force Serv-U to consume an excessive amount of resources, causing the service to crash and creating a denial-of-service condition.

The vulnerability was disclosed by SolarWinds on June 3, after it released Serv-U 15.5.4 Hotfix 1, which fixes it.

“Customers who downloaded and installed Serv-U 15.5.4 should also download and install Serv-U 15.5.4 Hotfix 1,” the company said.

Alternatively, they can use their web application firewall to limit access to the server only to known addresses, and block POST requests containing “content-encoding’, “as this functionality is not required by the service.”

Don’t dismiss this Serv-U DoS bug

A remote code execution vulnerability (CVE-2021-35211) affecting SolarWinds Serv-U software has previously been exploited as a zero-day by suspected Chinese attackers for cyber espionage purposes, and later by the Cl0p ransomware outfit.

In 2022, an input validation vulnerability (CVE-2021-35247) was targeted in Log4j-related attacks. Two years ago, the “trivially exploitable” CVE-2024-28995 was also leveraged by attackers.

CISA hasn’t provided details about the in-the-wild exploitation of CVE-2026-28318, and there’s currently no indication of it being exploited by ransomware-wielding gangs.

SolarWinds Serv-U is a self-hosted solution that allows organizations to securely transfer files over a network. It’s often used by organizations working in regulated industries and sectors, such as healthcare, finance, and government, where data sovereignty and audit trails are a requirement.

While vulnerabilities that allow total compromise of Serv-U deployments are preferred by attackers, a DoS bug can be used to disrupt organizations’ operations or to distract enterprise defenders from other covert activity.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!