Hackers exploit SolarWinds Serv-U flaw to crash servers

▼ Summary
– CISA warns that hackers are actively exploiting a high-severity SolarWinds Serv-U flaw (CVE-2026-28318) to crash servers.
– The vulnerability allows unauthenticated remote attackers to crash the Serv-U service via specially crafted POST requests with Content-Encoding: deflate.
– SolarWinds released a patch (Serv-U 15.5.4 Hotfix 1) on June 12, and CISA ordered U.S. federal agencies to patch by June 19.
– Over 12,000 Serv-U servers are exposed online, but it is unknown how many have been patched.
– Past attacks on Serv-U vulnerabilities include the Clop ransomware gang in 2021 and Chinese hackers, with CISA tagging 11 SolarWinds flaws as actively exploited.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that hackers are actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers, urging immediate action.
SolarWinds Serv-U is a file transfer solution for Windows and Linux systems, providing Managed File Transfer (MFT) and FTP server capabilities for secure file exchanges over HTTP/HTTPS, FTP, FTPS, and SFTP. On Thursday, the company rolled out Serv-U 15.5.4 Hotfix 1 to address the denial-of-service vulnerability, cataloged as CVE-2026-28318, which originates from an uncontrolled resource consumption weakness.
According to SolarWinds, “Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate.” This means remote attackers can exploit the bug in low-complexity attacks without needing privileges or user interaction. For administrators unable to immediately apply the patch, SolarWinds recommends restricting access to known IP addresses and blocking any POST requests containing “content-encoding,” as the vulnerable service doesn’t require this feature.
Data from the internet intelligence platform Shodan reveals over 12,000 Serv-U servers are exposed online, while the Shadowserver Foundation counts just over 3,100. It remains unclear how many have been patched. Just days after the fix was released, CISA added the flaw to its Known Exploited Vulnerabilities Catalog, mandating that all Federal Civilian Executive Branch agencies apply patches by June 19, per Binding Operational Directive (BOD) 22-01.
Although BOD 22-01 applies only to U. S. government entities, CISA strongly urged all network defenders, including those in the private sector, to secure their systems against ongoing CVE-2026-28318 attacks without delay. “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the agency warned. It advised following vendor mitigation instructions, adhering to BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.
Historically, Serv-U vulnerabilities have been prime targets for both cybercrime and state-backed hackers seeking to steal sensitive corporate and customer data. In 2021, the Clop ransomware gang leveraged a remote code execution flaw (CVE-2021-35211) to breach corporate networks. That same year, DEV-0322 Chinese hackers exploited CVE-2021-35211 in zero-day attacks starting in July. More recently, in June 2024, cybersecurity firms GreyNoise and Rapid7 flagged a Serv-U path-traversal vulnerability (CVE-2024-28995) as actively exploited.
Over the past several years, CISA has identified 11 vulnerabilities across various SolarWinds products as actively exploited in attacks, with some also abused by ransomware groups.
(Source: BleepingComputer)




