CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash file-transfer servers
CISA added CVE-2026-28318, a SolarWinds Serv-U denial-of-service flaw under active exploitation, to its Known Exploited Vulnerabilities catalog late Friday, ordering federal civilian agencies to remediate by June 19 unde.
At a glance
- CISA added CVE-2026-28318 to the KEV catalog on June 5 with an FCEB remediation deadline of June 19
- Unauthenticated attackers can crash Serv-U remotely via POST requests with a Content-Encoding: deflate header (CVSS 7.5, CWE-400)
- SolarWinds released Serv-U 15.5.4 Hotfix 1 on June 4; EOL versions 15.4.2, 15.5 and 15.5.1 are also affected
- CISA confirmed active exploitation but attackers are unidentified, with no known ransomware involvement
- Shodan tracks more than 12,000 Serv-U servers exposed online
VERDICT — CONFIRMED
CISA added CVE-2026-28318, a SolarWinds Serv-U denial-of-service flaw under active exploitation, to its Known Exploited Vulnerabilities catalog late Friday, ordering federal civilian agencies to remediate by June 19 under Binding Operational Directive 22-01 as coverage spread through the weekend. The uncontrolled resource consumption bug (CWE-400, CVSS 7.5) lets unauthenticated attackers remotely crash Serv-U file-transfer services by sending specially crafted HTTP POST requests carrying a "Content-Encoding: deflate" header.
SolarWinds had released Serv-U 15.5.4 Hotfix 1 a day earlier, on Thursday June 4; the flaw affects Serv-U 15.5.4 as well as end-of-life versions 15.4.2, 15.5 and 15.5.1. CISA confirmed in-the-wild exploitation but provided no detail on the attackers, and there is no indication so far of ransomware gangs leveraging the bug.
Shodan shows more than 12,000 Serv-U servers exposed on the internet, underscoring the available attack surface. SecurityWeek noted it remains unclear who is behind the attacks, while researchers urged administrators to patch immediately and monitor for anomalous POST requests using the deflate header.
Why it matters
an actively exploited crash bug in managed file-transfer software draws an emergency federal deadline because the file-transfer tier — from MOVEit to GoAnywhere — has become the extortion economy's favorite point of leverage, making any exploited Serv-U flaw a potential precursor to worse.
Key facts on file
- CISA added CVE-2026-28318 to the KEV catalog on June 5 with an FCEB remediation deadline of June 19
- Unauthenticated attackers can crash Serv-U remotely via POST requests with a Content-Encoding: deflate header (CVSS 7.5, CWE-400)
- SolarWinds released Serv-U 15.5.4 Hotfix 1 on June 4; EOL versions 15.4.2, 15.5 and 15.5.1 are also affected
- CISA confirmed active exploitation but attackers are unidentified, with no known ransomware involvement
- Shodan tracks more than 12,000 Serv-U servers exposed online


