The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting SolarWinds Serv-U multi-protocol file server software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2026-28318 (CVSS score: 7.5), is a denial-of-service (DoS) bug that causes the service to crash under certain conditions. CISA described it as an uncontrolled resource consumption vulnerability that results in a DoS condition.
“SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate,” SolarWinds said in an advisory released earlier this week.
The issue has been addressed in SolarWinds Serv-U version 15.5.4 HF1. As mitigations, it’s advised to limit access to known addresses and block any request containing “content-encoding” since the vulnerable service does not require this functionality.
There are currently no details on how the vulnerability is being exploited in real-world attacks, or who is behind them. It’s also unclear how many internet-exposed Serv-U instances are compromised, if any.
CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to address the flaw by June 19, 2026. In the past, multiple flaws in Serv-U have been exploited by bad actors, including those associated with the Cl0p ransomware gang.
