Skip to content

SolarWinds Serv-U Under Active Attack

The Hacker News · Story 4 of 6

The U.S. Cybersecurity and Infrastructure Security Agency has added a high-severity SolarWinds Serv-U vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation. Tracked as CVE-2026-28318 with a CVSS score of 7.5, the flaw allows unauthenticated denial-of-service attacks against file transfer servers.

The vulnerability enables specially crafted POST requests using a Content-Encoding: deflate header to crash the Serv-U service without authentication. The service processes the malformed request, consumes uncontrolled resources, and crashes. While this is a denial-of-service bug rather than remote code execution, the impact on file transfer operations can be severe for organisations that depend on Serv-U for business-critical data exchange.

SolarWinds released a fix in Serv-U version 15.5.4 Hotfix 1. As a workaround, administrators can limit access to known IP addresses and block any request containing Content-Encoding headers, since the vulnerable service does not legitimately require this functionality.

CISA ordered Federal Civilian Executive Branch agencies to remediate by June 19, 2026. In the past, SolarWinds Serv-U flaws have been exploited by sophisticated threat actors including the Cl0p ransomware gang, making this vulnerability particularly concerning for organisations in the ransomware crosshairs.

Bishop Fox published a technical analysis confirming the vulnerability is strictly a crash, not an RCE, after chasing three potential remote code execution paths that all proved to be dead ends. However, service disruption alone can be devastating for file transfer infrastructure handling time-sensitive business operations.

Analysis
Live

SolarWinds Serv-U keeps showing up in threat reports, and that pattern matters. If you're running Serv-U for file transfers, treat every CVE as priority one — this product has a target on its back. The fix is straightforward (15.5.4 HF1), but the real lesson is operational: any internet-facing file transfer service needs aggressive patch cadences and network-level access controls. If you haven't moved file transfer behind a VPN or zero-trust layer yet, this is your reminder.

Frequently Asked Questions
Is CVE-2026-28318 an RCE vulnerability?

No. Bishop Fox confirmed it is strictly a denial-of-service crash. Three potential RCE paths were investigated and all proved to be dead ends.