SolarWinds Serv-U CVE-2026-28318: Patch This DoS Before June 19th
On June 5, 2026, CISA added CVE-2026-28318, a high-severity Denial-of-Service (DoS) flaw impacting SolarWinds Serv-U multi-protocol file server software, to its Known Exploited Vulnerabilities (KEV) Catalog. CISA's listing confirms active exploitation of this vulnerability in real-world attacks. Federal Civilian Executive Branch (FCEB) agencies must patch by June 19, 2026. Organizations running Serv-U should also treat this as an immediate priority; DoS attacks on critical file transfer systems can severely disrupt operations.
What Happened
On June 5, 2026, CISA officially listed CVE-2026-28318 in its KEV Catalog, confirming active exploitation of this flaw. This vulnerability targets SolarWinds Serv-U, a widely deployed multi-protocol file transfer solution. The flaw carries a CVSS score of 7.5, classifying it as high-severity. It’s an unauthenticated DoS issue, allowing a remote attacker to crash the Serv-U service by sending specially crafted POST requests. The exploit mechanism involves an uncontrolled resource consumption flaw, triggered specifically when these POST requests use the Content-Encoding: deflate header, as detailed in the NVD entry.
SolarWinds released an advisory and a fix for this issue in Serv-U version 15.5.4 HF1. Mandiant is credited with reporting the flaw to SolarWinds, indicating their involvement in its discovery or initial analysis. This KEV listing means FCEB agencies have a hard deadline of June 19, 2026, to remediate; every organization running Serv-U should treat this as an immediate priority. Ignoring CISA KEV entries means exposing your infrastructure to known attack vectors.
Why It Matters
This is not a data exfiltration or ransomware threat directly, but a DoS on a file transfer server can severely disrupt operations. A crash of Serv-U can halt critical business processes, supply chain communications, or customer data exchanges. The primary impact is service disruption and operational downtime, which translates into significant financial losses and reputational damage. CISA's KEV inclusion for CVE-2026-28318 confirms attackers are actively scanning for and exploiting this specific vulnerability.
While the mandatory patch date applies to FCEB agencies, CISA advises all organizations to prioritize remediation for KEV Catalog vulnerabilities. File transfer protocols remain a consistent focus for attackers due to their internet exposure and the sensitive data they handle. There are no public details regarding the specific threat actors or attack chains exploiting this flaw yet, meaning the attacks might be opportunistic or part of broader, undisclosed campaigns.
Affected Scope & Remediation
Organizations running SolarWinds Serv-U software are affected by CVE-2026-28318. The exact number of internet-exposed instances running vulnerable versions is currently unclear. Identify Serv-U installations and verify their patch status immediately.
The fix is available in SolarWinds Serv-U version 15.5.4 HF1. Upgrade to this version to resolve the vulnerability. The CISA KEV deadline for federal agencies to apply this patch is June 19, 2026, giving them 14 days from the KEV listing. This isn't much time.
If immediate patching isn't possible, SolarWinds outlines mitigations. Limit access to known, trusted IP addresses to reduce the exposure of your Serv-U instance. Additionally, block requests containing "content-encoding" headers at the network perimeter (e.g., firewall, WAF) to prevent the exploit from reaching the vulnerable service, as this specific functionality isn't required by Serv-U for its legitimate operations. Your endpoint detection and response (EDR) solutions can also help monitor for unusual crash events or service restarts on Serv-U hosts, potentially indicating an attempted exploit.
Affected Versions vs. Patched Versions
| Product | Version Range | Fixed Version |
|---|---|---|
| SolarWinds Serv-U | Serv-U FTP for Windows 15.5.3 and earlier | 15.5.4 HF1 |
| SolarWinds Serv-U | Serv-U Gateway 6.4.0 and earlier | 6.4.0 HF1 |
Patch Links:
- SolarWinds Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2026-28318
- CISA KEV Entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Timeline:
- NVD Publication/Public Disclosure: May 29, 2026 (NVD)
- CISA KEV Listing: June 5, 2026 (CISA) – 7 days after NVD
- Federal Patch Due Date: June 19, 2026 (CISA) – 14 days after KEV listing
Technical Breakdown
The vulnerability, CVE-2026-28318, stems from an uncontrolled resource consumption issue within the Serv-U multi-protocol file server. It is triggered by specially crafted POST requests. An attacker does not need to authenticate to the Serv-U instance, making it a low-bar attack. The core mechanism exploits how Serv-U handles requests when the Content-Encoding: deflate header is present. This header signals that the request body is compressed using the deflate algorithm.
When Serv-U receives a POST request with this header and an intentionally malformed or excessively large compressed payload, its decompression routine or associated resource allocation fails to handle the input gracefully. Instead of rejecting the invalid or oversized data, the service attempts to process it, leading to a resource exhaustion that culminates in a crash. This is not a buffer overflow; it's about the service attempting an operation that consumes system resources (CPU cycles, memory) beyond its limits, effectively freezing or terminating the process.
From a MITRE ATT&CK perspective, this falls under T1190 Exploit Public-Facing Application. Attackers exploit a known vulnerability in a service directly accessible from the internet. For NIST SP 800-53, the remediation directly addresses SI-2 Flaw Remediation, emphasizing the importance of timely patching and configuration management to fix identified vulnerabilities.
Historical Context
SolarWinds Serv-U has seen its share of attention from malicious actors. While CVE-2026-28318 is a DoS, previous incidents involving file transfer protocols often involved more severe impacts. In 2021, a zero-day in SolarWinds Serv-U (CVE-2021-35211) was exploited by Chinese state-sponsored actors to install a backdoor, allowing for remote code execution.
Beyond Serv-U, file transfer solutions have been a recurring target. The Cl0p ransomware gang famously exploited vulnerabilities in MOVEit Transfer (CVE-2023-34362) and GoAnywhere MFT in 2023 to exfiltrate data from hundreds of organizations globally. These incidents underscore a critical theme: any internet-facing system designed to transfer files, especially those handling sensitive data, will always be a prime target for attackers looking for initial access or data exfiltration opportunities. The current Serv-U DoS is less about data theft and more about disruption, but it confirms the continued scrutiny these systems receive.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score (v3.1) | 7.5 | NVD |
| CISA KEV Listing Date | June 5, 2026 | CISA |
| Federal Patch Due Date | June 19, 2026 | CISA |
| Days to Patch (Federal) | 14 days | CISA |
| Affected Product | SolarWinds Serv-U | SolarWinds |
| Fixed Version | 15.5.4 HF1 | SolarWinds |
Our Take
We see too many organizations treating DoS vulnerabilities as "less critical" than RCE or data exfiltration. That's a mistake. A prolonged outage of a core service like Serv-U can hit your bottom line just as hard, if not harder, than a data breach. The fact that CISA added CVE-2026-28318 to the KEV catalog means it's already in the wild, likely being used by multiple groups. Don't wait for your own operations to be disrupted. Check your Serv-U instances now.
The CVEDaily Take
This unauthenticated DoS exploit on Serv-U is a clear operational risk, confirming file transfer platforms remain high-value targets. CISA's KEV mandate for federal agencies highlights the urgency for all organizations to patch, especially given the low barrier to exploitation. We question why SolarWinds did not disclose the active exploitation of CVE-2026-28318 in their initial advisory, only for CISA to confirm it days later. This delay in transparency can leave organizations exposed.
When was the last time your team audited external-facing file transfer services for unnecessary Content-Encoding support?
FAQ
Q: What versions of SolarWinds Serv-U are affected by CVE-2026-28318?
A: SolarWinds Serv-U FTP for Windows version 15.5.3 and earlier, along with Serv-U Gateway version 6.4.0 and earlier, are vulnerable.
Q: What is the primary impact of CVE-2026-28318?
A: The primary impact is a Denial-of-Service (DoS), where an unauthenticated attacker can crash the Serv-U service by sending specially crafted POST requests with Content-Encoding: deflate headers. This causes operational disruption but not direct data exposure or unauthorized access.
Q: What is the recommended remediation for CVE-2026-28318?
A: The recommended remediation is to upgrade SolarWinds Serv-U to version 15.5.4 HF1 (or Serv-U Gateway to 6.4.0 HF1). As a temporary mitigation, limit access to known IPs and block requests containing "content-encoding" headers at your network perimeter.
