Critical SolarWinds Serv-U Vulnerability Under Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical vulnerability in SolarWinds Serv-U file transfer software to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, identified as CVE-2026-28318, is currently being actively exploited by threat actors, posing significant risks to organizations utilizing this software.
Understanding CVE-2026-28318
CVE-2026-28318 is classified as an Uncontrolled Resource Consumption vulnerability (CWE-400). This type of flaw occurs when an application fails to properly limit the resources it allocates in response to incoming input. In the case of Serv-U, an attacker can send a malicious POST request with the `Content-Encoding: deflate` HTTP header. This action forces the Serv-U service to consume excessive resources, leading to a crash. Notably, this attack does not require authentication credentials, making it particularly dangerous.
Implications of the Vulnerability
The zero-privilege, remote nature of this vulnerability makes it an attractive target for threat actors. By exploiting this flaw, attackers can disrupt services, potentially leading to data loss or unauthorized access. Organizations that expose Serv-U services to the internet are especially at risk, as the vulnerability can be exploited remotely over the network.
CISA’s Response and Recommendations
On June 5, 2026, CISA added CVE-2026-28318 to its KEV catalog, setting a remediation deadline of June 19, 2026, for all Federal Civilian Executive Branch (FCEB) agencies. Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to remediate KEV-listed vulnerabilities within the specified timeframe. While it remains unclear whether this vulnerability has been exploited in ransomware campaigns, CISA urges all organizations, not just federal entities, to address this issue promptly due to active exploitation in the wild.
Affected Products and Patch Availability
SolarWinds has released a hotfix addressing the vulnerability in Serv-U version 15.5.4 Hotfix 1. Organizations running any prior version of Serv-U are considered vulnerable and should apply the patch immediately. SolarWinds published the advisory through its Trust Center, and full technical details are available via the NVD entry for CVE-2026-28318.
Recommended Actions for Organizations
To mitigate the risks associated with CVE-2026-28318, organizations should:
– Apply the Patch: Implement the SolarWinds Serv-U 15.5.4 Hotfix 1 without delay.
– Restrict Exposure: Limit Serv-U service exposure by placing it behind a firewall or VPN where feasible.
– Monitor Logs: Regularly check logs for anomalous POST requests containing `Content-Encoding: deflate` headers.
– Disable or Decommission: If immediate patching isn’t possible, consider disabling or decommissioning Serv-U instances.
– Follow BOD 22-01 Guidance: Adhere to the directive’s recommendations, especially for cloud-hosted Serv-U deployments.
Security teams should consult the official SolarWinds advisory and NIST NVD entry for the latest technical details and patch guidance.
