Patch Now: CISA Warns of Actively Exploited SolarWinds Serv-U Flaw
▼ Summary
– CISA confirmed that attackers are actively exploiting CVE-2026-28318, a vulnerability in SolarWinds Serv-U that causes a denial-of-service condition.
– The vulnerability allows unauthenticated remote attackers to crash the server by sending HTTP POST requests with a specific Content-Encoding: deflate header.
– US federal civilian agencies must patch or implement mitigations by June 19, 2026, per CISA’s order.
– SolarWinds released Serv-U 15.5.4 Hotfix 1 on June 3 to fix the flaw; users can also block relevant POST requests via a web application firewall.
– Previous SolarWinds Serv-U vulnerabilities, including a remote code execution bug, have been exploited by Chinese attackers and ransomware groups.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Friday that attackers are actively exploiting a vulnerability in SolarWinds Serv-U file transfer servers. Tracked as CVE-2026-28318, the flaw can crash the service and has prompted CISA to order federal civilian agencies to apply a patch or implement mitigations by June 19, 2026.
Understanding CVE-2026-28318
This is an uncontrolled resource consumption vulnerability that remote, unauthenticated attackers can trigger. The issue lies in how the Serv-U service processes HTTP POST requests with a Content-Encoding: deflate header. A carefully crafted request forces the server to consume excessive resources, leading to a crash and a denial-of-service (DoS) condition.
SolarWinds disclosed the vulnerability on June 3, the same day it released Serv-U 15.5.4 Hotfix 1 to address it. The company advises customers who have installed version 15.5.4 to also apply this hotfix. As an alternative, users can configure their web application firewall to restrict server access to known IP addresses and block POST requests containing “content-encoding,” noting that “this functionality is not required by the service.”
Why This DoS Bug Matters
This is not the first time SolarWinds Serv-U has been targeted. In the past, a remote code execution vulnerability (CVE-2021-35211) was exploited as a zero-day by suspected Chinese threat actors for cyber espionage, and later by the Cl0p ransomware group. In 2022, an input validation flaw (CVE-2021-35247) was leveraged in Log4j-related attacks. Two years ago, the trivially exploitable CVE-2024-28995 also saw active exploitation.
CISA has not disclosed specific details about the current exploitation of CVE-2026-28318, and there is no evidence yet that ransomware groups are using it. However, SolarWinds Serv-U is a self-hosted solution widely adopted in regulated industries like healthcare, finance, and government, where data sovereignty and audit trails are critical.
While attackers typically prefer vulnerabilities that allow full compromise, a DoS bug can still disrupt operations or serve as a distraction from other covert activities. Organizations should prioritize patching to maintain service availability and security.
Stay informed with our breaking news alerts to keep up with the latest breaches, vulnerabilities, and cybersecurity threats.
(Source: Help Net Security)
