SolarWinds Serv-U Denial-of-Service Flaw CVE-2026-28318 Actively Exploited, CISA Warns

Attackers are actively exploiting CVE-2026-28318, a high-severity denial-of-service vulnerability in SolarWinds Serv-U file transfer software, the U.S. Cybersecurity and Infrastructure Security Agency confirmed on June 5, 2026. The flaw requires no credentials, no elevated privileges, and no user interaction to trigger, making it one of the lowest-barrier exploits currently in active use. With over 12,000 Serv-U servers reachable from the public internet and a patch only days old, the exploitation window is wide open for organizations that have not yet acted.

What CVE-2026-28318 Is and How Attackers Exploit It

SolarWinds Serv-U is a widely deployed file transfer platform for Windows and Linux environments, supporting Managed File Transfer (MFT), FTP, FTPS, SFTP, and HTTP/HTTPS-based data exchange. Organizations in finance, healthcare, government, and logistics depend on it to move sensitive files securely between internal systems and external partners.

CVE-2026-28318 is rooted in an uncontrolled resource consumption weakness in how Serv-U handles certain HTTP requests. An attacker can send a specially crafted POST request using a Content-Encoding: deflate header to immediately crash the Serv-U service. SolarWinds confirmed that the affected service has no legitimate operational need for this content-encoding functionality, which means the vulnerable code path exists entirely without purpose and should never have been reachable.

Why the Attack Conditions Make This Especially Dangerous

The conditions needed to trigger CVE-2026-28318 set a very low bar. Exploitation requires no valid account, no special role, and no action from any legitimate user. The attack is classified as low complexity, requiring no custom tooling or deep technical expertise. Any attacker with network access to an exposed Serv-U instance can bring the service down. For servers facing the public internet, that means virtually anyone.

Thousands of Serv-U Servers Currently Exposed Online

Internet scanning platforms reveal the scale of the exposure. Shodan currently identifies more than 12,000 Serv-U servers accessible from the public internet. Shadowserver puts its count at just over 3,100. Neither figure reflects how many of those servers have applied the available patch, leaving the actual scope of unmitigated risk unknown.

SolarWinds released Serv-U 15.5.4 Hotfix 1 on June 5, 2026, to address the vulnerability. Every organization that has not yet deployed this update remains exposed to an unauthenticated crash attack that can be executed in a single request.

CISA Adds CVE-2026-28318 to Known Exploited Vulnerabilities Catalog

CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) Catalog on June 5, 2026, confirming that exploitation has been observed in the wild. Under Binding Operational Directive (BOD) 22-01, all U.S. Federal Civilian Executive Branch agencies must patch their Serv-U deployments by June 19, 2026.

While BOD 22-01 applies specifically to U.S. federal agencies, CISA extended its warning to the broader private sector. The agency stated that this class of vulnerability is a frequent target for malicious cyber actors and poses significant risk to enterprise environments. The recommendation was direct: apply vendor mitigations, follow BOD 22-01 guidance where applicable, or discontinue use of the product if no mitigation is available.

Serv-U’s History as a Repeated Target for Ransomware and State Actors

CVE-2026-28318 is not an isolated incident. SolarWinds Serv-U has been a consistent target for both financially motivated criminal groups and state-linked threat actors over multiple years.

In 2021, the Clop ransomware gang exploited CVE-2021-35211, a remote code execution vulnerability in Serv-U, to breach corporate networks across a widespread campaign. Simultaneously, the Chinese state-backed hacking group DEV-0322 deployed zero-day exploits of the same CVE beginning in July 2021, targeting organizations for intelligence collection.

In June 2024, security firms GreyNoise and Rapid7 confirmed that CVE-2024-28995, a Serv-U path traversal vulnerability, was being actively exploited in the wild. Across its product portfolio, CISA has now tagged 11 SolarWinds vulnerabilities as actively exploited in real attacks, with at least one previously tied directly to ransomware operations.

The pattern that emerges is consistent and concerning: Serv-U flaws are discovered, disclosed, and rapidly adopted by threat actors at every level of sophistication. The time between patch release and observed exploitation continues to shrink.

Canadian Impact: PIPEDA-Regulated Data and MFT Infrastructure at Risk

Canadian organizations that depend on Serv-U to move regulated data face direct exposure from this vulnerability. MFT platforms like Serv-U are commonly used in Canada to transfer data protected under PIPEDA (Personal Information Protection and Electronic Documents Act), including customer financial records, patient health information, and government documents.

The Canadian Centre for Cyber Security (CCCS) has previously issued advisories on SolarWinds vulnerabilities, including during the broader SolarWinds Orion supply chain compromise of 2020. Canadian organizations running internet-accessible Serv-U servers should treat CVE-2026-28318 as a priority remediation item, particularly where those servers handle regulated or sensitive data.

A denial-of-service attack that crashes Serv-U is not simply an inconvenience. In environments where MFT is the critical pipeline for data exchange, downtime from a crash attack can disrupt payroll transfers, cross-border data submissions, healthcare record routing, and government reporting obligations. It can also function as a diversion while attackers pursue secondary objectives elsewhere on the same network.

Canadian organizations subject to PIPEDA should also assess whether documented exposure to a publicly known, patchable vulnerability, particularly one where exploitation is already confirmed, creates obligations under the act’s breach of security safeguards reporting requirements.

Interim Mitigations for Organizations That Cannot Patch Immediately

For organizations unable to deploy Serv-U 15.5.4 Hotfix 1 right away, SolarWinds has identified two interim controls that reduce the attack surface.

The first is access restriction: limit network access to the Serv-U service so that only verified, trusted IP addresses can reach it. This is critical for any Serv-U instance currently exposed to the public internet.

The second is request filtering: configure firewall or web application firewall rules to block any inbound POST request that includes a content-encoding header targeting the Serv-U service. Because the vulnerable service has no legitimate need for this header, blocking it will not affect normal operations.

Both mitigations reduce exposure but do not eliminate the underlying vulnerability. Patching to Serv-U 15.5.4 Hotfix 1 is the only complete remediation.

---

Key Takeaways

• CVE-2026-28318 is a high-severity, unauthenticated denial-of-service flaw in SolarWinds Serv-U, triggered by a single specially crafted POST request with no credentials required.
• CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog on June 5, 2026, confirming active exploitation is underway; U.S. federal agencies must patch by June 19.
• More than 12,000 Serv-U servers are currently reachable from the public internet, with no confirmed data on how many remain unpatched.
• Serv-U has a documented history of exploitation by Clop ransomware and Chinese state actor DEV-0322, making rapid remediation a matter of organizational security hygiene, not optional maintenance.
• Canadian organizations handling PIPEDA-regulated data over the Serv-U MFT infrastructure must assess both patch urgency and potential breach reporting obligations under the act.
• SolarWinds Serv-U 15.5.4 Hotfix 1 is the complete fix; interim mitigations include IP-based access restrictions and blocking POST requests that contain content-encoding headers.
• The CCCS has a track record of issuing advisories aligned with CISA KEV updates affecting Canadian enterprise infrastructure; organizations should monitor CCCS alerts for follow-on guidance.

---

What You Should Do Now

1. Deploy Serv-U 15.5.4 Hotfix 1 immediately. Apply the patch to every Serv-U instance in your environment without waiting for a scheduled maintenance window, especially if any server is internet-accessible.
2. Take full inventory of your Serv-U deployments. Identify every instance across your organization, including those operated by managed service providers or third-party vendors. Confirm patch status for each.
3. Apply interim mitigations now if patching is delayed. Restrict Serv-U access to known trusted IP addresses and configure your perimeter firewall or WAF to block inbound POST requests containing content-encoding headers.
4. Review Serv-U logs for indicators of exploitation. Examine recent logs for unusual POST request patterns, unexpected service crashes, or anomalous traffic from unfamiliar IP addresses that may indicate pre-patch exploitation activity.
5. Assess your PIPEDA reporting obligations. If your Serv-U environment handles personal information covered under PIPEDA and was exposed to this vulnerability before patching, consult your privacy officer or legal counsel to determine whether a breach assessment is warranted.
6. Subscribe to CCCS threat advisories. The Canadian Centre for Cyber Security publishes timely alerts aligned with CISA KEV catalog additions. Ensure your security team receives these notifications as part of standard vulnerability management operations.
7. Harden all MFT platforms as a systematic practice. Use this incident as an opportunity to review access controls, network segmentation, and logging coverage for every Managed File Transfer platform in your environment. MFT servers are high-value targets because they routinely handle sensitive and regulated data.