The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered vulnerability affecting SolarWinds Serv-U file transfer software to its Known Exploited Vulnerabilities (KEV) Catalog after confirming that the flaw is being actively targeted in attacks.
The vulnerability, identified as CVE-2026-28318, carries a CVSS severity score of 7.5 and can be exploited to trigger a denial-of-service (DoS) condition, potentially causing affected servers to become unavailable.
Active Exploitation Prompts CISA Warning
CISA’s decision to include the flaw in its KEV catalog indicates that security agencies have observed real-world exploitation attempts targeting vulnerable systems.
According to the agency, the issue stems from uncontrolled resource consumption within SolarWinds Serv-U, allowing attackers to crash the service through specially crafted requests. Successful exploitation can disrupt file transfer operations and impact business-critical services that rely on the platform.
The vulnerability does not require authentication, increasing the potential risk for internet-facing installations.
SolarWinds Releases Security Fix
SolarWinds has issued a security advisory confirming that the vulnerability affects Serv-U Multi-Protocol File Server software.
The company stated that specially crafted HTTP POST requests containing specific content-encoding parameters can force the Serv-U service to crash unexpectedly. To address the issue, SolarWinds released a patch in Serv-U version 15.5.4 HF1.
Organizations using the platform are strongly encouraged to upgrade to the latest version as soon as possible to eliminate exposure.
Recommended Mitigation Measures
For environments that cannot immediately deploy the security update, SolarWinds has provided temporary mitigation guidance.
Security teams are advised to:
- Restrict access to trusted IP addresses wherever possible.
- Block requests containing the “Content-Encoding” header associated with the attack method.
- Monitor Serv-U services for unexpected crashes or availability issues.
- Review internet-facing deployments for signs of malicious activity.
These measures can help reduce exposure while patching efforts are underway.
Details of Attacks Remain Unknown
At this stage, cybersecurity authorities have not disclosed details regarding the threat actors responsible for exploiting the vulnerability.
It remains unclear how widespread the attacks are, how long exploitation has been occurring, or whether any organizations have experienced significant service disruptions as a result.
There is also no public information indicating the number of exposed Serv-U servers currently vulnerable to the flaw.
Federal Agencies Given June Deadline
Following the KEV catalog addition, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by June 19, 2026.
The KEV catalog serves as a prioritized list of security flaws known to be exploited in the wild, helping government agencies and private-sector organizations focus remediation efforts on the most urgent threats.
Serv-U Remains a Frequent Target
SolarWinds Serv-U has attracted significant attention from threat actors in recent years due to its widespread deployment in enterprise environments.
Several vulnerabilities affecting the platform have previously been leveraged in cyberattacks, including incidents linked to financially motivated cybercriminal groups and ransomware operators.
Security experts warn that once vulnerabilities are publicly disclosed and added to the KEV catalog, exploitation activity often increases as attackers attempt to target organizations that have not yet applied available patches.
Urgent Action Recommended
Cybersecurity professionals are urging organizations running SolarWinds Serv-U servers to prioritize patch deployment and vulnerability assessments immediately.
Given the confirmed active exploitation and the ease with which the flaw can be triggered, delaying remediation could leave systems vulnerable to service interruptions and operational disruption.
Organizations should also review asset inventories to identify exposed Serv-U installations and ensure that all internet-accessible instances are updated to the latest supported version.
