CISA Warns: SolarWinds Serv-U Flaw Actively Exploited to Crash Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that threat actors are actively exploiting a recently patched high-severity vulnerability in SolarWinds Serv-U file transfer software to crash servers in denial-of-service attacks. Tracked as CVE-2026-28318, the flaw stems from an uncontrolled resource consumption weakness that allows remote, unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests using `Content-Encoding: deflate`. SolarWinds addressed the bug in Serv-U 15.5.4 Hotfix 1 and recommended that administrators unable to deploy the patch immediately restrict access to known IP addresses and block any POST request containing the `content-encoding` header, since legitimate Serv-U operations do not require it.

CISA has added CVE-2026-28318 to its Known Exploited Vulnerabilities Catalog, ordering all Federal Civilian Executive Branch agencies to remediate the flaw by June 19 under Binding Operational Directive (BOD) 22-01. The agency also urged private-sector organizations to apply mitigations promptly, noting that the vulnerability requires low attack complexity and no user interaction. According to Shodan, more than 12,000 Serv-U instances remain exposed online, while Shadowserver tracks over 3,100—though it is unclear how many have already been patched. Network defenders should audit their perimeter exposure immediately using a port scanner to identify any unpatched Serv-U endpoints and verify their TLS posture with an SSL/TLS checker to ensure secure file transfer configurations.

The Serv-U flaw is the latest in a long string of vulnerabilities targeting the file transfer platform, which has become a recurring entry point for both cybercrime and state-backed groups. The Clop ransomware gang previously weaponized a Serv-U remote code execution bug (CVE-2021-35211) during a 2021 breach campaign, while the Chinese-linked cluster tracked as DEV-0322 exploited the same flaw in zero-day attacks beginning in July 2021. More recently, in June 2024, researchers at GreyNoise and Rapid7 observed active exploitation of a Serv-U path-traversal vulnerability (CVE-2024-28995). Given Serv-U's history as a high-value target, administrators should also run a comprehensive privacy checkup across their environments to surface additional misconfigurations that could compound the risk from this latest wave of attacks.