CISA Warns SolarWinds Serv-U Flaw Is Being Exploited in Attacks
6 min. read 
Published on
CISA has warned that attackers are exploiting a SolarWinds Serv-U vulnerability that can crash affected file transfer servers without authentication.
The agency added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5, 2026. Federal civilian agencies must address the flaw by June 19, 2026, under CISA’s remediation rules for exploited vulnerabilities.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue affects SolarWinds Serv-U, a file transfer product used by organizations to move files across managed networks. The vulnerability does not allow remote code execution, but it can create a denial-of-service condition that disrupts access to the Serv-U service.
What CVE-2026-28318 does
The SolarWinds advisory describes CVE-2026-28318 as an unauthenticated denial-of-service vulnerability. A remote attacker can send specially crafted POST requests that cause the Serv-U service to crash.
The flaw is tied to how Serv-U handles requests that include the Content-Encoding: deflate header. SolarWinds says this functionality is not required by the service, which is why the company recommends blocking such requests if customers cannot immediately deploy the hotfix.
The NVD entry lists the issue as CWE-400, Uncontrolled Resource Consumption. The CVSS 3.1 score is 7.5, with network attack vector, low attack complexity, no privileges required, and high availability impact.
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-28318 |
| Affected product | SolarWinds Serv-U |
| Vulnerability type | Unauthenticated denial of service |
| CWE | CWE-400, Uncontrolled Resource Consumption |
| CVSS score | 7.5 High |
| Fixed version | SolarWinds Serv-U 15.5.4 Hotfix 1 |
CISA says attackers are exploiting the flaw
CISA’s KEV listing means the agency has evidence that the vulnerability is being exploited in the wild. CISA has not published detailed information about the attackers, targets, or scale of exploitation.
The deadline applies directly to U.S. Federal Civilian Executive Branch agencies, but private organizations should also treat the warning seriously. CISA’s KEV catalog often acts as a priority list for vulnerabilities that defenders should patch first.
Serv-U systems can sit on the edge of an organization’s network because they support file transfer workflows. That makes availability important, especially for companies that depend on file exchanges with customers, partners, suppliers, or internal departments.
SolarWinds released a hotfix for Serv-U
SolarWinds fixed the vulnerability in Serv-U 15.5.4 Hotfix 1, which was released on June 4, 2026. The release notes say the hotfix addresses CVE-2026-28318 and adds no new features.
SolarWinds says customers who installed Serv-U 15.5.4 should also install Serv-U 15.5.4 Hotfix 1. The company lists Serv-U 15.5.4 and below as affected in its advisory.
After the fix, SolarWinds says an attacker can no longer crash the Serv-U service by sending a simple request with Content-Encoding: deflate and data.
- Install Serv-U 15.5.4 Hotfix 1 as soon as possible.
- Confirm whether internet-facing Serv-U servers run affected versions.
- Limit access to trusted IP addresses where possible.
- Use a web application firewall to block risky request patterns if patching must be delayed.
- Monitor Serv-U logs and system availability for unexpected crashes.
Who is affected by CVE-2026-28318?
The vendor advisory lists SolarWinds Serv-U 15.5.4 and below as affected. Organizations running older Serv-U deployments should assume exposure until they confirm the installed version and apply the update.
The NVD record also lists Serv-U versions up to, but excluding, the fixed hotfix release as vulnerable. Security teams should check both Windows and Linux Serv-U deployments.
The risk is higher for systems exposed to the internet, but internal Serv-U servers should not be ignored. Attackers who already have a foothold in a network may use denial-of-service bugs to disrupt operations or distract defenders during a broader intrusion.
| Environment | Risk level | Recommended action |
|---|---|---|
| Internet-facing Serv-U server | High | Patch immediately and restrict access where possible |
| Partner-facing file transfer server | High | Patch and review firewall allowlists |
| Internal-only Serv-U server | Medium | Patch and monitor for service crashes |
| Unused or legacy Serv-U instance | High if exposed | Disable, isolate, or decommission if no longer needed |
Mitigation options if patching is delayed
SolarWinds recommends limiting web access to known addresses when possible. The company also recommends blocking POST requests that contain the Content-Encoding header because that functionality is not required by Serv-U.
These mitigations can help reduce exposure, but they should not replace the hotfix unless an organization cannot patch immediately. A workaround can fail if it does not cover every route to the vulnerable service.
Admins should place Serv-U behind a firewall, VPN, or tightly scoped access control list where business requirements allow it. They should also review WAF rules, reverse proxy rules, and load balancer settings that sit in front of Serv-U.
Why denial-of-service flaws still matter
Some teams may treat a denial-of-service bug as less urgent than remote code execution or authentication bypass. CISA’s action shows why that can be risky when exploitation is active.
A crashed file transfer service can interrupt payments, backups, customer uploads, legal exchanges, software delivery, or partner workflows. Attackers may also use disruption to increase pressure during extortion attempts or to hide other activity.
SolarWinds Serv-U has also drawn attacker interest in past years through other vulnerabilities. That history makes fast patching more important for any organization that exposes the service to untrusted networks.
- Denial-of-service attacks can stop file transfer workflows.
- Repeated crashes can hide other suspicious activity in operational noise.
- Exposed file transfer servers often attract scanning and exploitation attempts.
- Older Serv-U deployments may also carry other unresolved risks.
What security teams should do now
Security teams should first inventory all SolarWinds Serv-U deployments. This includes production, test, backup, legacy, and partner-facing servers.
Next, teams should compare installed versions with the Serv-U 15.5.4 Hotfix 1 release notes and apply the fix where needed. Any exposed server that cannot be patched quickly should receive temporary network-level controls.
Organizations should also review monitoring rules for Serv-U process crashes, unexpected restarts, unusual POST requests, and repeated availability failures. These signals can help defenders spot exploitation attempts before the disruption becomes business-critical.
FAQ
CVE-2026-28318 is an unauthenticated denial-of-service vulnerability in SolarWinds Serv-U. Attackers can abuse the flaw remotely to crash the Serv-U service.
Yes. CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5, 2026, which means the agency has evidence of active exploitation in the wild.
SolarWinds lists Serv-U 15.5.4 and below as affected. The fixed release is SolarWinds Serv-U 15.5.4 Hotfix 1.
CVE-2026-28318 has a CVSS 3.1 score of 7.5, which is High severity. The main impact is availability because exploitation can crash the Serv-U service.
Organizations should install Serv-U 15.5.4 Hotfix 1, restrict access to trusted addresses, place exposed servers behind protective controls, and monitor for crashes or suspicious POST requests.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages