← All articles

SolarWinds Serv-U flaw exploited to crash file-transfer servers, now in CISA KEV

CISA has warned that attackers are actively exploiting CVE-2026-28318, a high-severity SolarWinds Serv-U denial-of-service flaw, and added it to the Known Exploited Vulnerabilities catalog. Serv-U is SolarWinds' Windows and Linux managed-file-transfer and FTP software. The flaw is an uncontrolled-resource-consumption weakness: specially crafted POST requests using Content-Encoding: deflate crash the Serv-U service without authentication, in low-complexity attacks needing no user interaction. SolarWinds shipped Serv-U 15.5.4 Hotfix 1 and advised admins who cannot patch to restrict access and block POST requests containing content-encoding. Shodan tracks over 12,000 exposed Serv-U servers (Shadowserver around 3,100). FCEB agencies must patch by June 19 under BOD 22-01.

Check
Inventory SolarWinds Serv-U servers, especially internet-exposed ones (Shodan shows 12,000+). Confirm Serv-U 15.5.4 Hotfix 1 is applied. Monitor for crashes and crafted deflate POST requests.
Affected
SolarWinds Serv-U MFT/FTP servers before 15.5.4 Hotfix 1. Unauthenticated, low-complexity DoS via POST requests using Content-Encoding: deflate. Over 12,000 instances exposed online per Shodan.
Fix
Apply Serv-U 15.5.4 Hotfix 1. If patching must wait, restrict access to known addresses and block POST requests containing content-encoding. FCEB agencies must remediate by June 19.