CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5, with a federal remediation deadline of June 19. If you run Serv-U, you are already late.
The federal deadline for this fix was June 19. If you run SolarWinds Serv-U anywhere in your environment, you are already late.
What Happened
CISA added a critical SolarWinds Serv-U vulnerability, tracked as CVE-2026-28318, to its Known Exploited Vulnerabilities (KEV) catalog on June 5, 2026, confirming that threat actors are actively exploiting it in the wild. SolarWinds disclosed the flaw on June 3 and simultaneously released Serv-U 15.5.4 Hotfix 1 to fix it.
Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch agencies were required to remediate by June 19, 2026. CISA's message to private-sector organizations is equally direct: treat that federal deadline as your own.
How the Attack Works
CVE-2026-28318 is an Uncontrolled Resource Consumption flaw (CWE-400). It lives in the way Serv-U processes HTTP POST requests that carry the Content-Encoding: deflate header. A remote, unauthenticated attacker can send a specially crafted request that forces the service to consume excessive resources, crashing it and producing a denial-of-service condition.
A denial-of-service flaw can sound less alarming than remote code execution, but the reality is more nuanced. Security researchers note this type of crash is useful inside broader attack chains: it can disable secure file transfer during a ransomware deployment, prevent organizations from moving backup or incident-response data, and disrupt logging that would otherwise surface other malicious activity.
Why Serv-U Is Such a Tempting Target
SolarWinds Serv-U is a managed file transfer and FTP server deployed across enterprises worldwide. It runs on Windows and Linux, integrates with Active Directory and LDAP, and underpins automated file exchange in healthcare, finance, government, and manufacturing. That reach makes it a persistent target.
The history is well documented. The Clop ransomware gang exploited CVE-2021-35211, a remote code execution flaw, in 2021. Chinese state-sponsored group DEV-0322 weaponized the same vulnerability in zero-day attacks. CVE-2026-28318 is now the eleventh SolarWinds vulnerability listed in CISA's KEV catalog.
Even though this flaw does not directly compromise confidentiality or data integrity, crashing Serv-U at the wrong moment disrupts payroll processing, compliance workflows, partner data exchanges, and automated file transfers. For any business that depends on the platform daily, that is a serious incident.
What You Need to Do Right Now
Work through this checklist today, in order.
1. Find every Serv-U instance in your environment. Check shadow IT, subsidiary networks, and cloud-hosted deployments, not just your primary data centre. Serv-U instances often spread beyond the systems the security team actively tracks.
2. Apply the hotfix immediately. The fix is SolarWinds Serv-U 15.5.4 HF1. If you are running end-of-life versions 15.4.2, 15.5, or 15.5.1, upgrade to a supported release first. If you recently moved to 15.5.4, the hotfix is still a separate, required step.
3. Apply interim mitigations if patching will be delayed.
Block any inbound HTTP request containing a Content-Encoding header at your firewall or reverse proxy. The vulnerable Serv-U service does not require this functionality, so blocking it carries minimal operational risk.
4. Restrict internet exposure. Active exploitation has been observed on Serv-U instances directly reachable from the public internet. If your deployment does not need to be open to the internet, move it behind a VPN or restrict access to known partner IP ranges now.
5. Monitor for unusual service restarts and traffic anomalies. Alert on unexpected Serv-U process crashes. In clustered or high-availability deployments, a restart can go unnoticed. Attackers can also use forced restarts to load malicious configurations.
6. Check your broader patch posture. This vulnerability does not exist in isolation. In a single week in June 2026, security teams also faced a record 200-vulnerability Microsoft Patch Tuesday, a new unpatched Windows Defender zero-day, a publicly exploited ServiceNow API flaw, a fifth actively exploited Chrome zero-day of the year, and a fresh supply chain attack wave hitting more than 100 npm and PyPI packages. Patch fatigue is real, and attackers are counting on it.
The Bigger Picture
Availability bugs in internet-facing transfer services give attackers disruption, distraction, and foothold opportunities all at once. The KEV catalog is CISA's mechanism for separating theoretical risk from observed, active risk. When a vulnerability lands there with a two-week federal remediation deadline, it is not a bureaucratic formality. It means attackers are working the problem right now.
Whether CVE-2026-28318 has been leveraged specifically inside ransomware campaigns is not yet confirmed, but given Serv-U's documented history with Clop and nation-state actors, waiting is not a credible option.
How 247techify Can Help
At 247techify, we work with businesses every day to cut through patch overload, prioritize critical vulnerabilities like CVE-2026-28318, and build the processes that stop one missed hotfix from becoming a full incident. If you run Serv-U or any managed file transfer platform and are not sure where you stand, get in touch with our team at https://www.247techify.com/ and we will help you find out fast.
%22%2F%3E%0A%20%20%20%20%20%20%3Cstop%20offset%3D%22100%25%22%20stop-color%3D%22hsl(210%2070%25%2040%25)%22%2F%3E%0A%20%20%20%20%3C%2FlinearGradient%3E%0A%20%20%3C%2Fdefs%3E%0A%20%20%3Crect%20width%3D%221536%22%20height%3D%221024%22%20fill%3D%22url(%23g)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%221095%22%20cy%3D%22295%22%20r%3D%22320%22%20fill%3D%22white%22%20opacity%3D%220.08%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22505%22%20cy%3D%22405%22%20r%3D%22240%22%20fill%3D%22black%22%20opacity%3D%220.06%22%2F%3E%0A%3C%2Fsvg%3E)