CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability affecting SolarWinds Serv-U multi-protocol file server software to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited by threat actors.

The vulnerability, tracked as CVE-2026-28318, carries a CVSS score of 7.5 and is classified as a denial-of-service (DoS) flaw that causes the service to crash under specific conditions. According to CISA, this is an uncontrolled resource consumption vulnerability that results in a complete DoS condition for affected systems.

"SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate," explained SolarWinds in their advisory released earlier this week.

The vulnerability has been addressed in SolarWinds Serv-U version 15.5.4 HF1. For organizations unable to immediately patch the software, security experts recommend implementing network-level mitigations including limiting access to known IP addresses and blocking any HTTP request containing the "content-encoding" header, as the vulnerable service does not require this functionality.

"This type of vulnerability might seem less critical than remote code execution flaws, but a denial-of-service attack against a file server can be just as damaging for business operations," said Maria Rodriguez, senior security analyst at CyberDefense Partners. "Organizations should prioritize this patch, especially if they rely on Serv-U for critical file transfer operations."

CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must address this vulnerability by June 19, 2026. The agency's inclusion in the KEV catalog suggests that exploitation has been observed in multiple, unrelated attacks targeting both government and private sector organizations.

SolarWinds Serv-U has been a frequent target for threat actors in recent years. In 2025, the Cl0p ransomware gang exploited vulnerabilities in Serv-U to conduct large-scale supply chain attacks, compromising numerous organizations through the software. This history of exploitation makes today's advisory particularly concerning for security teams.

"We're seeing a pattern where attackers specifically target file transfer solutions because they often contain sensitive data and are critical business operations," noted James Wilson, threat intelligence researcher at SecureState. "The fact that this vulnerability doesn't require authentication makes it especially dangerous for internet-exposed systems."

Organizations using SolarWinds Serv-U should immediately verify their version and apply the update if running 15.5.4 or earlier. For those unable to patch immediately, implementing the recommended network controls can provide temporary protection while planning for the upgrade.

The incident highlights the ongoing challenges organizations face with third-party software security. "SolarWinds has made significant improvements to their security practices since the 2020 supply chain incident, but this vulnerability shows that even well-established vendors can have critical flaws," commented Lisa Chen, CISO at Enterprise Security Solutions. "Regular vulnerability scanning and prompt patching remain essential security practices."

Federal agencies and organizations in critical infrastructure sectors should pay particular attention to this vulnerability, as the potential impact of a denial-of-service attack on file transfer capabilities could significantly disrupt operations. CISA's KEV designation typically indicates that the vulnerability is being exploited by sophisticated threat actors with the capability to compromise high-value targets.

For more information about the vulnerability and patching instructions, organizations can refer to the SolarWinds Security Advisory and the CISA KEV Catalog.