ProBackend
cloud security incidents
Jun 19, 20267 min read

CISA Alerts: Hackers Actively Exploiting SolarWinds Serv-U Flaw (CVE-2026-28318)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that hackers are actively exploiting a recently patched high-severity vulnerability in SolarWinds Serv-U to crash file transfer servers. This denial-of-service flaw allows unauthenticated remote attackers to take down Serv-U services using specially crafted POST requests.

Kendall Monitor

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning today that threat actors are actively exploiting a recently patched vulnerability in SolarWinds Serv-U to launch denial-of-service attacks against organizations.

The security flaw, tracked as CVE-2026-28318, enables remote attackers to crash Serv-U services without requiring authentication. This high-severity vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog and is now the subject of a Binding Operational Directive (BOD 22-01) order requiring federal agencies to remediate by June 19.

Vulnerability Details and Attack Vector

SolarWinds Serv-U is a Managed File Transfer (MFT) and FTP server application available for both Windows and Linux platforms. The software enables users to securely exchange files via HTTP/HTTPS, FTP, FTPS, and SFTP protocols.

According to SolarWinds' security advisory, the vulnerability stems from an uncontrolled resource consumption weakness in how Serv-U handles certain HTTP requests. Specifically:

"SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate," the company said in its advisory.

Remote attackers can exploit this flaw using low-complexity attacks that don't require any user interaction or elevated privileges. The attack vector involves sending maliciously crafted POST requests that exploit the Content-Encoding header handling in Serv-U.

Technical analysis of the vulnerability reveals that the issue exists in the HTTP request processing layer where Serv-U fails to properly validate and limit the size of compressed content. When an attacker sends a POST request with a malformed Content-Encoding header containing "deflate" encoding, the Serv-U service enters an infinite loop or consumes excessive memory resources, ultimately causing a crash of the file transfer server. This vulnerability is particularly dangerous because it can be triggered with a single HTTP request and does not require any form of authentication.

Patch Availability and Immediate Mitigations

SolarWinds released Serv-U version 15.5.4 Hotfix 1 to address CVE-2026-28318. Administrators are strongly encouraged to upgrade their installations immediately.

For organizations that cannot deploy the patch immediately, SolarWinds recommends two immediate mitigations:

  1. Limit access to known IP addresses - Restrict connections to Serv-U servers to trusted source addresses only
  2. Block POST requests containing "content-encoding" - Since the vulnerable functionality doesn't require this header, blocking it prevents exploitation attempts

Additional Mitigation Strategies for Various Environments

Organizations running Serv-U in different environments should consider the following additional mitigations:

For on-premises deployments:

  • Implement Web Application Firewall (WAF) rules to detect and block malicious POST requests
  • Configure rate limiting on HTTP endpoints to prevent rapid-fire exploitation attempts
  • Enable detailed logging for all Serv-U file transfer operations

For cloud-hosted Serv-U instances (AWS, Azure, GCP):

  • Configure load balancer rules to inspect and filter malicious headers
  • Enable cloud provider's DDoS protection services as a first line of defense
  • Implement auto-scaling policies to absorb denial-of-service traffic spikes

For containerized deployments:

  • Apply network policies to restrict Serv-U access to authorized services only
  • Implement sidecar proxies that can inspect and filter HTTP headers before reaching the Serv-U container

CISA's Binding Operational Directive

CISA has added CVE-2026-28318 to its Known Exploited Vulnerabilities Catalog and issued a formal directive under BOD 22-01. This binding order requires all Federal Civilian Executive Branch agencies to:

  • Patch their Serv-U installations by June 19, 2026
  • Implement the vendor-recommended mitigations if immediate patching is not possible
  • Document their remediation efforts in the agency's security posture reporting

While BOD 22-01 applies specifically to federal agencies, CISA explicitly urged all network defenders—including private sector organizations—to prioritize patching and implement mitigations as soon as possible.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned in its alert. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Shodan Data Shows Widespread Exposure

The Internet-exposed surface of vulnerable Serv-U instances remains substantial. Security intelligence platform Shodan currently tracks over 12,000 Serv-U servers exposed directly to the internet, while Shadowserver reports more than 3,100 instances in its IoT device tracking system.

These numbers represent a significant attack surface that could be exploited while organizations transition to patched versions. As of this alert, there is no public information on how many installations have already been patched.

Additional threat intelligence from Recorded Future indicates that at least 120 publicly accessible Serv-U instances showed signs of active exploitation attempts in the 72 hours following SolarWinds' initial patch release on June 3, 2026. Analysis of attack traffic reveals that the exploitation attempts originated from multiple geographic regions, suggesting coordinated activity by multiple threat actors rather than a single attacker.

SolarWinds Serv-U: A Repeated Attack Vector

This CVE-2026-28318 incident continues a troubling trend where SolarWinds products serve as repeated targets for malicious actors. Past notable exploits include:

  • CVE-2021-35211 (Clop ransomware campaign): A remote code execution vulnerability exploited by the Clop ransomware gang in 2021
  • DEV-0322 Chinese threat actors: Also abused CVE-2021-35211 in zero-day attacks starting in July 2021
  • CVE-2024-28995 (June 2024): A path traversal vulnerability that GreyNoise and Rapid7 flagged as actively exploited

CISA has tagged 11 vulnerabilities across various SolarWinds products as actively exploited in attacks over the past several years, including at least one that was also abused by ransomware gangs.

Historical Context and Pattern Analysis

The recurrence of vulnerabilities in SolarWinds products raises significant questions about the company's security development lifecycle. Security researchers at Mandiant have noted that many of the exploited vulnerabilities in SolarWinds products stem from similar root causes:

  • Inadequate input validation in network-facing components
  • Missing rate-limiting mechanisms on critical endpoints
  • Insufficient error handling that could leak system information

This pattern suggests that the vulnerabilities may not be isolated incidents but rather symptoms of broader security process gaps within SolarWinds' development and quality assurance practices.

Post-Exploitation Indicators and Detection Guidance

Security teams should monitor for the following indicators of compromise (IOCs) that may suggest their Serv-U servers have been targeted or compromised:

Network-based IOCs:

  • Unusual POST request patterns to Serv-U endpoints, particularly those with Content-Encoding headers
  • Multiple failed connection attempts from single IP addresses within short timeframes
  • Anomalous data transfer volumes following Serv-U service restarts

Host-based IOCs:

  • Unexpected service crashes or restarts of Serv-U daemons
  • Unusual log entries containing "Content-Encoding" or HTTP 503 errors
  • Increased CPU or memory usage preceding service unavailability

Recommended Detection Queries: Security teams using SIEM platforms should create alerts for the following patterns:

# Example SIEM query for detecting exploitation attempts
SELECT * FROM logs WHERE 
  method='POST' AND 
  (header CONTAINS 'Content-Encoding: deflate' OR header CONTAINS 'content-encoding') AND 
  response_code IN (503,504) AND
  path LIKE '%Serv-U%' 
GROUP BY source_ip, timestamp WINDOW TUMBLING (INTERVAL 5 MINUTE)
HAVING COUNT(*) > 10

Vendor Response and Ongoing Support

SolarWinds has acknowledged the severity of CVE-2026-28318 and has expedited the release of hotfix 1. The company's Security Response Team (SRT) has been operating at elevated capacity since the vulnerability disclosure and continues to provide support to affected customers.

SolarWinds customers with active maintenance contracts can access additional resources through the SolarWinds Customer Portal, including:

  • Detailed patch deployment guides
  • Configuration examples for mitigation measures
  • Direct support channels for emergency patching assistance

Organizations without active maintenance contracts should contact SolarWinds sales representatives to discuss support options before the vulnerability exploitation becomes more widespread.

Long-Term Recommendations for File Transfer Infrastructure

Beyond immediate patching, organizations should consider the following long-term strategic changes to their file transfer infrastructure:

  1. Diversification of file transfer solutions: Avoid over-reliance on single-vendor solutions for critical infrastructure
  2. Regular vulnerability assessments: Implement scheduled third-party security reviews of file transfer systems
  3. Backup and recovery planning: Ensure disaster recovery procedures account for extended Serv-U outages
  4. Migration assessment: Evaluate alternative file transfer solutions that offer built-in protection against this class of vulnerabilities

Organizations in highly regulated industries should also consider how these vulnerabilities might impact their compliance posture and engage with their compliance teams to ensure appropriate controls are in place.

Recommendations for Organizations

  1. Immediate action: Patch Serv-U to version 15.5.4 Hotfix 1 or apply the Content-Encoding mitigation
  2. Network segmentation: Restrict Serv-U access to known, trusted IP addresses
  3. Monitoring: Implement enhanced logging and monitoring for Serv-U servers to detect exploitation attempts
  4. Inventory management: Conduct an inventory of all Serv-U installations, including cloud-hosted instances
  5. Alternative solutions: If remediation isn't feasible, consider migrating to alternative file transfer solutions

Organizations should treat this as a high-priority security task given the active exploitation and CISA's formal directive.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned.

CISA Alerts Organizations to Actively Exploited SolarWinds Serv-U Flaw

Related blogs

cloud security incidents

A Critical Methodological Analysis Challenges the Scientific Foundation of Modern Consciousness Research

A research team has issued a fundamental challenge to neuroscientific methods used in consciousness studies, arguing that current approaches are built on shaky theoretical and empirical ground. The analysis examines how information processing frameworks shape our understanding of conscious experience.

Jun 18, 2026 · 5 mincloud security incidents

Fileless Phantom Stealer Targets Browser Credentials

In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to frustrate detection.

Jun 18, 2026 · 3 mincloud security incidents

Microsoft Packages Compromised in Second Supply-Chain Attack Using Miasma Credential Stealer

Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents.

Jun 18, 2026 · 3 min
More engineering analysis and backend guidance from ProBackend.
More blogs