Back

Active Exploitation of SolarWinds Serv-U Flaw CVE-2026-28318

Severity: High (Score: 72.9)

Sources: Bleepingcomputer, documentation.solarwinds.com, www.solarwinds.com

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: solarwinds, serv-u, cisa, hackers, crash, cve-2026-28318, exploit

Severity indicators: CVE:CVE-2026-28318, CVE:CVE-2026-28318, CVE:CVE-2026-28318

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a high-severity vulnerability in SolarWinds Serv-U, tracked as CVE-2026-28318. This flaw allows remote attackers to crash the Serv-U service using specially crafted POST requests without requiring authentication. The vulnerability stems from uncontrolled resource consumption and affects both Windows and Linux versions of Serv-U. SolarWinds released a hotfix (15.5.4 Hotfix 1) on June 4, 2026, to address this issue. CISA has added this CVE to its Known Exploited Vulnerabilities Catalog and mandated that all Federal Civilian Executive Branch agencies patch their servers by June 19, 2026. There are over 12,000 Serv-U servers exposed online, increasing the risk of exploitation. Administrators are advised to limit access to known addresses and block specific POST requests until the patch can be applied. Key Points: • CISA warns of active exploitation of CVE-2026-28318 in SolarWinds Serv-U software. • The vulnerability allows attackers to crash the service without authentication. • Over 12,000 Serv-U servers are currently exposed online, heightening the risk.

Detailed Analysis

**Impact** Over 12,000 SolarWinds Serv-U servers are exposed online, affecting organizations globally across multiple sectors using this Managed File Transfer software. The vulnerability allows attackers to crash Serv-U services, causing denial-of-service conditions that disrupt file transfer operations. U.S. Federal Civilian Executive Branch agencies are mandated to patch by June 19, 2026, indicating critical operational risk within government networks. No data theft or integrity compromise has been reported, but service availability is impacted. **Technical Details** The vulnerability (CVE-2026-28318, CVSS 7.5) is triggered by unauthenticated, specially crafted POST requests containing the header "Content-Encoding: deflate," causing uncontrolled resource consumption and service crashes. Exploitation requires no privileges or user interaction. The attack targets the Serv-U service on Windows and Linux platforms, affecting versions up to 15.5.4 prior to Hotfix 1. No specific malware or additional tools have been identified in current exploitation reports. **Recommended Response** Apply SolarWinds Serv-U 15.5.4 Hotfix 1 immediately to remediate the vulnerability. For environments where patching is delayed, restrict Serv-U access to known IP addresses and block POST requests containing "content-encoding" at the web access firewall. Monitor network traffic for anomalous POST requests with this header and track Serv-U service availability for signs of crashes. Federal agencies must comply with CISA’s Binding Operational Directive 22-01 by June 19, 2026.

Source articles (4)

  • CISA: Hackers now exploit SolarWinds Serv — Bleepingcomputer · 2026-06-05
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers. Serv-U…
  • CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers — Bleepingcomputer · 2026-06-05
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers. Serv-U…
  • Servu 15 5 4 Hotfix 1 Release Notes — documentation.solarwinds.com · 2026-06-05
    Here's what's new in Serv-U 15.5.4 Hotfix 1. You can find the applicable system requirements here . To view release notes, system requirements, and product guide PDFs for supported versions of Serv-U,…
  • CVE-2026-28318 — www.solarwinds.com · 2026-06-05
    SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. MITIGATION STEPS: SolarWinds suggests adding t…

Timeline

  • 2021-07-14 — CVE-2021-35211 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2024-06-06 — CVE-2024-28995 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-28318 published: SolarWinds released a hotfix for a denial-of-service vulnerability in Serv-U, tracked as CVE-2026-28318.
  • 2026-06-05 — CISA flags CVE-2026-28318 as exploited: CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities Catalog, urging immediate patching.
  • 2026-06-05 — CISA mandates patching deadline: CISA ordered all Federal Civilian Executive Branch agencies to patch against CVE-2026-28318 by June 19, 2026.

CVEs

  • CVE-2021-35211
  • CVE-2024-28995
  • CVE-2026-28318

Related entities

  • Dev-0322 (Apt Group)
  • DDoS (Attack Type)
  • Zero-day Exploit (Attack Type)
  • SolarWinds (Company)
  • CWE-22 - Path Traversal (Cwe)
  • Cwe-400 - Uncontrolled Resource Consumption (Cwe)
  • here.to (Domain)
  • versions.to (Domain)
  • Government (Industry)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Linux (Platform)
  • Serv-U (Platform)
  • Windows (Platform)
  • Clop (Ransomware Group)
  • Clop Ransomware Gang (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed