CISA Adds SolarWinds Serv-U DoS Flaw CVE-2026-28318 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity denial-of-service vulnerability in SolarWinds Serv-U to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Tracked as CVE-2026-28318 with a CVSS score of 7.5, the bug affects SolarWinds' multi-protocol file server software and was flagged just days after SolarWinds published its own advisory.

The flaw is an uncontrolled resource consumption vulnerability that allows remote, unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests containing the header "Content-Encoding: deflate." Because the deflate encoding is not a required function of the affected service, administrators can block the issue at the perimeter by rejecting any inbound request carrying a "content-encoding" header, or by restricting access to known IP ranges. Organizations managing internet-exposed Serv-U instances can use a port scanner to confirm whether the service is reachable and prioritize patching accordingly. SolarWinds has addressed the issue in Serv-U version 15.5.4 HF1, and CISA has ordered all Federal Civilian Executive Branch (FCEB) agencies to remediate by June 19, 2026.

Details on the threat actor or campaign behind the exploitation remain undisclosed, and it is not yet known how many exposed Serv-U deployments have been impacted. The lapse carries added weight given SolarWinds' history: multiple prior Serv-U flaws have been weaponized in the past, including by affiliates of the Cl0p ransomware gang, which has repeatedly chained file-transfer vulnerabilities into mass-exploitation and extortion campaigns. Security teams are urged to verify their Serv-U build versions immediately and audit logs for unexpected service crashes or POST requests with deflate encoding. Defenders can also run a SSL/TLS checker to validate the configuration of any externally accessible file-transfer endpoints, and a WHOIS lookup to vet the ownership of systems that connect to Serv-U hosts. Given the product's track record as a ransomware staging ground, rapid patching and network segmentation should be treated as urgent rather than routine hygiene.