CISA added CVE-2026-28318, an unauthenticated denial-of-service flaw in SolarWinds Serv-U, to its Known Exploited Vulnerabilities catalog on June 5, 2026, confirming the bug is being exploited in the wild. Federal civilian agencies have until June 19, 2026 to patch under BOD 22-01. If you run Serv-U as internet-facing file transfer infrastructure, you should treat that deadline as yours too.

What happened

Serv-U is SolarWinds’ managed file transfer (MFT) and secure file server platform — the kind of system that sits at the edge of a network moving files between partners, customers, and internal teams. CVE-2026-28318 (CVSS 7.5) lets a remote, unauthenticated attacker crash the Serv-U service with a single malformed request. No credentials, no chained steps, no payload to deliver.

The trigger is almost trivial. According to SolarWinds’ advisory, a specially crafted HTTP POST request carrying a Content-Encoding: deflate header forces the service to mishandle the request and consume excessive resources until it falls over. Send it again and the service crashes again. That is the entire attack.

Technical details

  • CVE: CVE-2026-28318
  • CVSS 3.1: 7.5 (High), vector reflects network/unauthenticated/availability impact
  • Affected: SolarWinds Serv-U 15.5.4 and earlier
  • Fixed in: Serv-U 15.5.4 HF1
  • Vector: Unauthenticated POST with Content-Encoding: deflate → service crash
  • Class: Denial of service (availability), no authentication required

The header is the tell here. Serv-U’s HTTP front end does not legitimately need clients to send Content-Encoding: deflate on inbound requests, which is why SolarWinds’ interim mitigation is simply to drop anything that carries it. The vulnerable code path tries to process the declared encoding and never recovers.

Impact assessment

This is “only” a DoS — no remote code execution, no data theft on its own. Do not let that downgrade it in your head. Three things make it matter:

  1. It is unauthenticated and effortless. One crafted request from anywhere on the internet takes the service down. There is no exploitation skill curve, which is consistent with CISA seeing real-world abuse fast enough to warrant a KEV listing.
  2. MFT software is business-critical and exposed. Serv-U exists to be reachable. When it is down, partner file drops, automated B2B transfers, and customer uploads stop. For organizations that move regulated data on schedules, an outage is an operational and sometimes contractual incident.
  3. Serv-U has a target on its back. Attackers have repeatedly gone after this product — the actively exploited path traversal CVE-2024-28995 and the 2021 remote-code-execution flaw (CVE-2021-35211) used by a Chinese-linked actor are recent memory. MFT platforms as a class (MOVEit, GoAnywhere, Cleo) have been among the most lucrative targets of the past few years. A reliable crash primitive is a useful thing to keep handy, whether as cover, extortion leverage, or reconnaissance.

What to do right now

  1. Patch to Serv-U 15.5.4 HF1. This is the fix. Inventory every Serv-U instance, including forgotten ones in DMZs and acquired environments.
  2. If you cannot patch immediately, block the trigger. Drop or strip inbound requests containing a Content-Encoding header at your reverse proxy or WAF — Serv-U does not need it. SolarWinds publishes additional mitigations through its Trust Center.
  3. Restrict exposure. Limit access to the Serv-U management and transfer interfaces to known source addresses. MFT endpoints should not be wide open to the internet if they do not have to be.
  4. Watch for repeated crashes. Unexplained Serv-U restarts or availability gaps are now a possible exploitation signal, not just a flaky service. Alert on them.

This one is cheap to exploit and cheap to fix. The asymmetry is entirely in the defender’s favor for once — close it before someone parks a crash loop on your file transfer edge.

References