The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability in SolarWinds Serv-U to its Known Exploited Vulnerabilities (KEV) catalog.
Tracked as CVE-2026-28318, this flaw allows unauthenticated threat actors to remotely crash the file transfer service. With active exploitation observed in the wild, this development signals a severe risk to enterprise networks, exposing Serv-U instances to the public internet.
CVE-2026-28318 is classified as an Uncontrolled Resource Consumption vulnerability, categorized under CWE-400.
SolarWinds Serv-U Vulnerability Exploited
This class of flaw occurs when an application fails to place proper limitations on the system resources it allocates when processing incoming data. For SolarWinds Serv-U, the vulnerability resides deep within how the software handles specific HTTP requests.
An attacker can exploit this weakness by sending a maliciously crafted POST request containing the Content-Encoding: deflate HTTP header.
When the Serv-U service attempts to process this payload, it consumes excessive CPU and memory resources, ultimately triggering a denial-of-service (DoS) condition.
The attack vector is particularly concerning because it requires zero privileges or authentication credentials.
Furthermore, it can be executed entirely over the network, making it a highly attractive vector for remote threat actors looking to disrupt enterprise file-sharing operations or mask secondary intrusions.
Following concrete evidence of active exploitation, CISA added CVE-2026-28318 to the KEV catalog on June 5, 2026. Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate the vulnerability by June 19, 2026.
While current threat intelligence has not explicitly linked this specific exploit to known ransomware campaigns, CISA and cybersecurity experts urge all organizations to treat the flaw with the highest urgency.
Unauthenticated network vulnerabilities are frequently weaponized by advanced persistent threat (APT) groups and initial access brokers to establish footholds in corporate environments.
Mitigation
SolarWinds has responded to the threat by releasing a security hotfix. Organizations running any version of the software prior to the patched release are considered vulnerable and must take immediate action. Security teams should implement the following steps to secure their infrastructure:
- Apply the SolarWinds Serv-U 15.5.4 Hotfix 1 patch immediately across all affected enterprise deployments.
- Restrict Serv-U service exposure by placing the application behind a corporate firewall or secure VPN.
- Monitor security logs for anomalous POST requests containing the Content-Encoding: deflate HTTP header.
- Disable or decommission vulnerable Serv-U instances immediately if patch deployment is delayed.
- Ensure compliance with BOD 22-01 guidance for both on-premises and cloud-hosted Serv-U architectures.
Security teams should continually consult the official SolarWinds advisory via their Trust Center and the NIST NVD entry for the latest technical updates and threat intelligence.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
