CISA Flags SolarWinds Serv-U DoS Flaw as Actively Exploited — Federal Deadline Is June 19

CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5, 2026, confirming that attackers are actively exploiting a denial-of-service flaw in SolarWinds Serv-U multi-protocol file server software. Federal Civilian Executive Branch agencies have until June 19 to apply the patch. Private-sector organizations running Serv-U should treat that deadline as a strong signal to patch immediately.

What the Vulnerability Does

CVE-2026-28318 is an uncontrolled resource consumption flaw with a CVSS score of 7.5 (high severity). The attack is straightforward: sending a specially crafted POST request with a Content-Encoding: deflate header causes the Serv-U service to crash without any authentication required. The crash terminates the file transfer service, cutting off access to managed file transfers, SFTP sessions, and FTP operations until the service is manually restarted.

This is a denial-of-service vulnerability, not remote code execution. An attacker cannot use it to steal files or move laterally through a network via this flaw alone. But for organizations that depend on Serv-U for production file transfers — particularly in financial services, healthcare, and government — the ability to crash the service repeatedly and without authentication is a significant operational risk.

The Fix and Immediate Mitigations

SolarWinds patched the vulnerability in Serv-U version 15.5.4 HF1, released earlier this week. Organizations running older versions should update immediately. For environments where an emergency patch is not immediately possible, SolarWinds and CISA both recommend two interim mitigations: restrict access to the Serv-U service to known IP addresses only, and block any inbound requests containing a content-encoding header, since the vulnerable functionality does not require it.

Why SolarWinds Vulnerabilities Get Heightened Attention

SolarWinds has a history of exploited Serv-U vulnerabilities beyond the 2020 SUNBURST supply chain attack. In 2021, Microsoft disclosed that a China-linked threat actor was exploiting CVE-2021-35211, a remote code execution flaw in Serv-U, to target defense contractors and critical infrastructure. The Cl0p ransomware group subsequently exploited different Serv-U flaws for initial access in 2022. The pattern means that Serv-U vulnerabilities attract sophisticated actors, not just commodity malware operators.

CISA has not yet disclosed who is behind the active exploitation of CVE-2026-28318, how many internet-exposed Serv-U instances have been targeted, or what the specific attack chain looks like beyond the initial crash technique. In past SolarWinds incidents, the full scope of exploitation was not disclosed until weeks after initial CISA advisories.

Exposure Assessment

Shodan and Censys searches for internet-exposed SolarWinds Serv-U instances consistently show tens of thousands of publicly reachable endpoints. The unauthenticated nature of this attack — no credentials needed, just a malformed HTTP request — means the barrier to exploitation is low, and automated scanning for vulnerable instances will begin immediately if it has not already. Organizations should verify their Serv-U version, apply 15.5.4 HF1, and review access control configurations regardless of whether they believe they have been targeted.