Skip to content
hacker_posts

CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV, DoS in the wild

CISA added CVE-2026-28318 — an unauthenticated DoS in SolarWinds Serv-U — to KEV on June 5. CVSS 7.5. Fix is 15.5.4 Hotfix 1. FCEB deadline June 19.

Published 4 min read
cvesolarwindskevadvisory

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on June 5, 2026 — an unauthenticated uncontrolled-resource-consumption flaw (CWE-400) in SolarWinds Serv-U that crashes the service when a single crafted POST request lands on the management endpoint. CVSS v3.1 is 7.5. SolarWinds shipped a hotfix in Serv-U 15.5.4 Hotfix 1. Federal Civilian Executive Branch agencies have until June 19, 2026 under BOD 22-01.

What the bug does

The vulnerable path is the HTTP handler. A POST request carrying Content-Encoding: deflate forces Serv-U to allocate resources to decompress a body the service does not need to read, and the process crashes. No credentials. No prior session. Exploit traffic looks like one anomalous POST, which is the part defenders should care about — the noise floor for "POST with deflate to a file-transfer admin endpoint" should be effectively zero in normal operation.

The crash is a denial of service, not RCE, but Serv-U is frequently a file-transfer perimeter for regulated workflows (SFTP, MFT) where outage is expensive and downstream automation breaks first. CISA's KEV listing — by definition — confirms active exploitation, and the recently-added entries page is where the catalog records the June 5 addition with the June 19 due date.

Affected versions

Per SolarWinds' advisory and the BleepingComputer writeup:

  • All Serv-U releases before 15.5.4 are vulnerable.
  • Serv-U 15.5.4 without Hotfix 1 is still vulnerable — operators who upgraded to 15.5.4 but skipped the hotfix are not patched.
  • Serv-U 15.5.4 Hotfix 1 is the fixed release.

Exposure

  • Shodan counts roughly 12,000 Serv-U instances exposed on the public internet.
  • Shadowserver tracks about 3,100 in its scan corpus.

The delta is the usual one — Shodan picks up more dormant or misclassified hosts — but both numbers are large enough that opportunistic crash traffic will find targets without any reconnaissance effort. The exploit primitive is a single POST request; there is no PoC engineering to slow exploitation down.

Action checklist

  1. Patch to Serv-U 15.5.4 Hotfix 1 now. If you upgraded to 15.5.4 in the past weeks and stopped there, apply the hotfix today — the base 15.5.4 build is still on the vulnerable list. Verify the version banner after the upgrade.
  2. Block POST requests carrying Content-Encoding: deflate at the WAF or reverse proxy in front of the Serv-U management endpoint. SolarWinds' own mitigation guidance notes the vulnerable Serv-U service does not need this header at all — dropping it is safe and removes the exploit primitive while you schedule the patch window.
  3. Restrict the management interface to known administrator IPs. Serv-U's HTTP management surface should not be reachable from arbitrary internet sources; if it is, the patch window also needs to include closing that exposure.
  4. Watch for repeated crash-restart cycles in Serv-U service logs and the host event log over the past two weeks. The bug crashes the process; sustained exploitation looks like a restart loop.
  5. Federal civilian agencies: meet the June 19 deadline. The KEV addition is BOD 22-01 territory — patch or remove the asset from federal networks by that date.

Context

This is the third Serv-U entry on KEV in roughly two years, after the CVE-2024-28995 path-traversal added in mid-2024 and the older CVE-2021-35211 Serv-U RCE that the Chinese state-aligned operator DEV-0322 used against U.S. defense customers. The pattern is familiar: managed file-transfer servers sit at organisational perimeters, hold automation credentials, and have a surface area defenders rarely inventory tightly. Last year's MOVEit incident is the worst-case rendering — DoS this week is the easier outcome.

Treat the exposure number as the prompt to inventory every internet-reachable file-transfer service in your estate, not only Serv-U. Twelve thousand hosts reachable on the open internet for a service whose only job is to move sensitive files into the network is not a SolarWinds problem; it is an industry default that needs to change.

Related stories