Key Takeaways
- CISA has added CVE‑2026‑28318 (CVSS 7.5) affecting SolarWinds Serv‑U multi‑protocol file server to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation.
- The flaw is a denial‑of‑service (DoS) vulnerability triggered by unauthenticated POST requests that include the header Content‑Encoding: deflate, causing uncontrolled resource consumption and service crash.
- SolarWinds has patched the issue in Serv‑U version 15.5.4 HF1; interim mitigations include restricting access to trusted IP addresses and blocking any request containing the “content‑encoding” header.
- Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerability by June 19, 2026 under CISA’s binding directive.
- While exploitation details remain scarce, past Serv‑U vulnerabilities have been leveraged by threat actors such as the Cl0p ransomware gang, highlighting a pattern of targeting this file‑transfer solution.
Introduction to the Advisory
On June 6, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the inclusion of a high‑severity security flaw impacting SolarWinds Serv‑U in its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE‑2026‑28318, carries a CVSS score of 7.5 and is described as a denial‑of‑service (DoS) issue that can be triggered without authentication. CISA’s action reflects observed active exploitation in the wild, prompting urgent guidance for affected organizations, especially federal agencies.
Vulnerability Details and Technical Mechanism
CVE‑2026‑28318 stems from an uncontrolled resource consumption condition within Serv‑U’s handling of HTTP POST requests. Specifically, when a request contains the header Content‑Encoding: deflate, the server attempts to decompress the payload without proper bounds checking, leading to excessive memory or CPU usage that ultimately crashes the Serv‑U service. Because the attack does not require valid credentials, an unauthenticated remote attacker can induce a DoS condition simply by crafting a malicious POST request with the offending header. SolarWinds characterized the issue as a “specially crafted POST request that crashes the Serv‑U service without authentication using Content‑Encoding: deflate.”
Evidence of Active Exploitation
Although CISA has confirmed that the flaw is being actively exploited, the agency has not disclosed precise details about the exploitation techniques, the identity of the threat actors, or the scale of compromise. The lack of public technical specifics suggests that either the exploit is still under investigation or that disclosure is being withheld to prevent further abuse. Nonetheless, the addition to the KEV catalog indicates that there is credible evidence—such as telemetry from sensors, malware samples, or incident reports—showing that attackers are leveraging this vulnerability in real‑world attacks.
Mitigation and Remediation Guidance
SolarWinds released Serv‑U version 15.5.4 HF1 as the official fix for CVE‑2026‑28318. Organizations running earlier versions are urged to upgrade immediately. In situations where patching cannot be performed instantly, SolarWinds recommends two interim mitigations:
- Access Restriction – Limit Serv‑U’s exposure to known, trusted IP addresses or networks, thereby reducing the attack surface for unauthenticated actors.
- Header Filtering – Block any inbound HTTP request that contains the “content‑encoding” header (regardless of its value) at the network perimeter or via a web application firewall, since the vulnerable functionality is not required for normal Serv‑U operation.
These measures aim to prevent the malicious POST requests that trigger the uncontrolled resource consumption loop.
CISA Directive and Timeline for Federal Agencies
CISA has issued a binding operational directive requiring all Federal Civilian Executive Branch (FCEB) agencies to address CVE‑2026‑28318 no later than June 19, 2026. The directive mandates that agencies either apply the SolarWinds patch or implement the approved mitigations within the specified window. Compliance will be verified through CISA’s routine vulnerability management processes, and agencies are expected to report remediation status to the agency’s cybersecurity leadership. This timeline underscores the urgency CISA places on resolving the flaw given its potential to disrupt critical file‑transfer services across government infrastructures.
Historical Context and Related Incidents
Serv‑U has a history of being targeted by cyber‑criminal groups. Notably, vulnerabilities in earlier versions of the software were exploited by the Cl0p ransomware gang during their large‑scale file‑transfer attacks, which leveraged compromised Serv‑U instances to exfiltrate data before deploying ransomware. The recurrence of high‑impact flaws in Serv‑U suggests that threat actors continue to view the platform as an attractive vector for gaining footholds in networks that rely on it for secure file exchanges. The current CVE‑2026‑28318, while a DoS rather than a data‑theft vulnerability, could still be used as a precursor to more destructive campaigns, for instance by destabilizing backup or log‑transfer services that depend on Serv‑U uptime.
Conclusion
The addition of CVE‑2026‑28318 to CISA’s KEV catalog highlights an actively exploited denial‑of‑service flaw in SolarWinds Serv‑U that can be triggered via unauthenticated POST requests containing a specific compression header. While patches are available and mitigations are straightforward, the tight remediation deadline for federal agencies underscores the potential impact on essential services. Organizations should prioritize patching to version 15.5.4 HF1, enforce access controls, and consider header‑based filtering as immediate defenses. Continued vigilance is warranted, given the historical pattern of Serv‑U being a favored target for sophisticated threat actors such as Cl0p. By acting swiftly, administrators can reduce the risk of service disruption and limit the opportunity for attackers to exploit this vulnerability as a stepping stone to more severe intrusions.