CISA Adds SolarWinds Serv-U Flaw to KEV After Active Exploitation

CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5, 2026, after confirming attackers are actively weaponizing a denial-of-service flaw in SolarWinds Serv-U file transfer software. Federal agencies have until June 19 to patch.

The vulnerability carries a CVSS score of 7.5 (High) and requires no authentication to exploit—an attacker just needs network access to the Serv-U service.

How the Attack Works

CVE-2026-28318 is an uncontrolled resource consumption flaw triggered through specially crafted HTTP POST requests. The attack is almost trivially simple:

1. Attacker sends a POST request with Content-Encoding: deflate header
2. Serv-U attempts to decompress the malformed payload
3. The service consumes excessive resources and crashes

The vulnerable code path doesn't require any authentication, and the deflate encoding isn't even needed for normal Serv-U operations—it's an unnecessary attack surface that should have been disabled by default.

Affected Versions

SolarWinds Serv-U versions prior to 15.5.4 Hotfix 1 are vulnerable. The product is deployed as a managed file transfer (MFT) and FTP server across enterprises worldwide, handling sensitive data transfers in:

• Financial institutions
• Healthcare organizations
• Government agencies
• Any enterprise requiring secure file exchange

SolarWinds' History

SolarWinds products have been a recurring target since the 2020 SUNBURST supply chain attack that compromised thousands of organizations through trojanized Orion updates. While Serv-U is a different product line, the company's visibility to threat actors remains elevated.

This isn't even Serv-U's first critical vulnerability. In 2021, CVE-2021-35211 allowed remote code execution and was exploited by nation-state actors.

Remediation

1. Upgrade to Serv-U 15.5.4 HF1 — SolarWinds has released a hotfix addressing the vulnerability
2. Restrict network access — Limit Serv-U exposure to known IP ranges
3. Block Content-Encoding headers — Since Serv-U doesn't require deflate functionality, consider blocking requests containing content-encoding headers at the network layer

Why This Matters

A DoS vulnerability might seem less critical than remote code execution, but for file transfer infrastructure, availability is everything. Organizations use MFT servers for:

• Automated batch transfers tied to business processes
• Regulatory reporting deadlines
• Partner data exchanges with SLA requirements

An attacker who can crash your file transfer server on demand can disrupt supply chains, miss compliance deadlines, and create operational chaos. Combined with ransomware extortion tactics that threaten ongoing disruption, DoS vulnerabilities become powerful leverage tools.

The lack of public details about who's exploiting this and how is concerning—CISA's KEV catalog entry confirms exploitation but provides no threat actor attribution or attack context.

CISA Deadline

Federal Civilian Executive Branch agencies must remediate by June 19, 2026, per BOD 22-01. Private sector organizations should treat this as a priority patch regardless of regulatory obligations.