CISA confirms SolarWinds Serv-U is under active attack — federal agencies have until June 19 to patch

CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog on June 8, 2026, confirming that attackers are actively exploiting a denial-of-service flaw in SolarWinds Serv-U. Under Binding Operational Directive 22-01 (BOD 22-01), all Federal Civilian Executive Branch (FCEB) agencies are required to apply the fix by June 19, 2026 — an eleven-day window that signals how seriously CISA is treating this.

SolarWinds has released a patch: Serv-U 15.5.4 Hotfix 1. Organizations that cannot patch immediately have specific interim mitigations available. There is no ambiguity about the severity — exploitation is confirmed and the attack is unauthenticated, requiring no credentials or prior access.

What Serv-U is and who runs it

SolarWinds Serv-U is an enterprise multi-protocol file transfer server supporting FTP, SFTP, FTPS, HTTP, and HTTPS. It is widely deployed across government agencies, financial institutions, healthcare organizations, and large enterprises that need managed, auditable file transfer infrastructure — exactly the environments with strict compliance requirements around data movement. Serv-U competes in the same space as MOVEit Transfer and GoAnywhere MFT, two products that have been exploited at large scale in prior years.

The installed base is substantial. Serv-U is used by thousands of organizations globally, many of which run it as a critical data pipeline — inbound payment files, medical records transfers, regulatory submissions. A downed Serv-U instance is not a minor inconvenience; it breaks workflows that other systems depend on.

The vulnerability: how the attack works

CVE-2026-28318 is classified as CWE-400: Uncontrolled Resource Consumption. The flaw lives in how Serv-U handles HTTP POST requests that include a Content-Encoding: deflate header.

The Content-Encoding: deflate header tells a web server that the request body has been compressed using the deflate algorithm, and that the server should decompress it before processing. A legitimate client uses this to reduce bandwidth when sending large payloads. In Serv-U's case, a flaw in the decompression handling means that a crafted request — one where the compressed input is designed to expand to a disproportionately large size when decompressed — causes the Serv-U service to consume all available memory or CPU until it crashes. This class of attack is sometimes called a "zip bomb" or decompression bomb, adapted to HTTP.

The critical detail is that no authentication is required. An attacker on the public internet can send a single malformed POST request to a Serv-U instance and take the service down. There is no need to have a valid account, no need to guess credentials, no need to exploit a second vulnerability first. The attack surface is every Serv-U instance reachable on the network.

What to do now

Patch immediately. Upgrade to Serv-U 15.5.4 Hotfix 1. SolarWinds has published the update through its standard software update channel. This is the only complete fix.

If patching cannot happen immediately due to change management windows or operational constraints, apply both of these interim mitigations in parallel:

• IP allowlisting: Restrict access to the Serv-U HTTP/HTTPS interface to known, trusted IP addresses or IP ranges. This does not fix the vulnerability but removes the unauthenticated remote attack surface for addresses outside the allowlist.
• Block POST requests containing the content-encoding header: If a reverse proxy, web application firewall, or network appliance sits in front of Serv-U, configure a rule to drop or reject HTTP POST requests that include a Content-Encoding header before they reach the Serv-U service. Most enterprise WAF platforms support this as a simple header-match rule.

Both mitigations are workarounds, not fixes. They reduce exploitability while the patch is being tested and deployed but do not eliminate the underlying vulnerability. Treat them as hours-to-days interim measures, not weeks-long solutions.

BOD 22-01: what it means beyond federal agencies

Binding Operational Directive 22-01, issued by CISA in November 2021, requires all FCEB agencies to remediate vulnerabilities listed in the KEV catalog within defined timeframes — typically 14 days for actively exploited flaws, though CISA can set shorter windows for critical cases. The directive has no legal authority over private-sector organizations.

In practice, BOD 22-01 has become a de facto patching benchmark for enterprises and government contractors. Many organizations that are not FCEB agencies have adopted KEV remediation timelines as their internal standard — partly because it is a clearly defined, defensible policy, and partly because CISA's KEV selections have a strong track record of predicting which vulnerabilities will be used in ransomware and intrusion campaigns. Government contractors handling federal data under FedRAMP, DFARS, or CMMC frameworks often have contractual obligations that require patching exploited vulnerabilities promptly, making CISA's KEV listing a compliance trigger even without a direct BOD 22-01 mandate.

The practical guidance: if your organization runs Serv-U, treat this as urgent regardless of whether you are a federal agency. The patch window CISA gave federal agencies — eleven days — is a reasonable internal target for any production environment.

The pattern: file transfer software as a high-value target

CVE-2026-28318 continues a trend that the security community has been tracking since 2023. Managed file transfer software sits at a structurally attractive position for attackers: it handles sensitive data, it is often internet-facing by design, it runs with service account privileges that can be leveraged for lateral movement, and it is used by organizations in exactly the sectors — healthcare, finance, government — that have both high-value data and complex patching processes.

MOVEit Transfer (CVE-2023-34362) was exploited by the Cl0p ransomware group in May 2023, compromising hundreds of organizations globally and exposing data belonging to tens of millions of individuals. GoAnywhere MFT (CVE-2023-0669) was exploited by the same group months earlier in a similar mass-exploitation campaign. Both were zero-days at the time of exploitation. CVE-2026-28318 in Serv-U follows the same attack surface pattern: internet-facing, enterprise-critical, unauthenticated attack path.

The difference with this vulnerability is that a patch exists and the attack is currently causing denial-of-service rather than data exfiltration — which means the immediate harm is operational disruption rather than a breach. That does not mean the risk profile is low; a downed file transfer server in a regulated environment can trigger compliance incidents, break time-sensitive workflows, and create conditions that other attack vectors exploit. The patch is available. The window is short. There is no reason to wait.