SolarWinds Serv-U Unauthenticated DoS (CVE-2026-28318): Added to CISA KEV as Exploited, Update to 15.5.4-hotfix-1

blog/Articles/SolarWinds Serv-U Flaw Lets Attackers Crash the Service: CVE-2026-28318, Now Exploited

News Updated today

Makoto Horikawa

Backend Engineer / AWS / Django

2026.06.069 min0 views

Share X Hatena LINE LinkedIn RSS

Key takeaways

A flaw in the enterprise file-transfer server SolarWinds Serv-U lets attackers crash the service by sending a crafted request without authentication. Tracked as CVE-2026-28318 (CVSS 7.5), CISA added it to KEV on June 5, 2026 as actively exploited and ordered federal agencies to fix it by June 19. Here are the affected versions, the 15.5.4-hotfix-1 fix, and what to do now.

A flaw has been found in SolarWinds Serv-U — server software widely used by enterprises to exchange files securely with partners and between sites — that lets an attacker take the service down by sending a single crafted request from outside. It is tracked as CVE-2026-28318, with a CVSS v3.1 severity score of 7.5, the second-highest of four bands ("High").

What makes it serious is that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog on June 5, 2026. A KEV listing means there is evidence the flaw is already being used in real-world attacks. CISA ordered U.S. federal agencies to remediate it by June 19, 2026.

This article explains, in plain terms, what happens, which versions are affected and how to update, how to weigh the fact that it is already being exploited, and what organizations running Serv-U should do right now.

Which versions are affected, and how to update

Here is the bottom line first. The flaw affects all Serv-U versions up to and including 15.5.4 without the hotfix, base 15.5.4 included. The fix is 15.5.4-hotfix-1. Applying it closes the hole.

Your version	Status	What to do now
15.5.4-hotfix-1 or later	Fixed	No action needed
15.5.4 (without the hotfix)	Affected	Apply hotfix-1
Anything before 15.5.4 (15.5.x / 15.4.x, etc.)	Affected	Update, then apply hotfix-1

Update by following the steps in the official SolarWinds security advisory and the release notes. If you cannot apply the hotfix immediately, take the interim steps below and apply it as soon as possible. The KEV entry even lists discontinuing use of the product as an option if remediation is not possible in time — a sign of how urgent the situation is.

What happens: one crafted request can knock the file-transfer server offline

Serv-U is a "managed file transfer (MFT)" server that enterprises use to hand large files securely between partners and sites. Because it deals with the outside world, it is often run facing the internet — placed where attackers can see it directly.

The problem here is that when an attacker sends a specially crafted web request (a POST request) to Serv-U, the service itself crashes and goes down. Specifically, the crash is triggered by abusing the instruction used to send compressed data (the HTTP header "Content-Encoding: deflate"), which breaks the server's processing. Technically it is an "uncontrolled resource consumption" flaw (CWE-400) — a denial-of-service (DoS) that overloads the server and makes the service unavailable.

CVE-2026-28318: an unauthenticated crafted POST crashes the Serv-U service

The flaw is tracked as CVE-2026-28318. According to the NVD (the U.S. vulnerability database), the attack requires no authentication (no login). The CVSS breakdown shows it succeeds over the network (AV:N), with no special privileges (PR:N) and no user interaction (UI:N), and the impact lands only on "availability" (C:N/I:N/A:H). In other words, it is not a flaw that steals or alters data — it is one that stops the server and halts file exchange.

You might think "if nothing leaks, it can't be that bad." But once the file-transfer backbone is down, deliveries, invoicing, and order data with partners stall on the spot. And this is not a theoretical concern: CISA confirmed it is "actively exploited" and added it to KEV. An attacker can take the service down from outside without even logging in, and it is actually being used — that is the substance of this case.

Who wants this bug, and what do they walk off with

The danger of this flaw is not that something gets stolen but that the artery of your business — handing files back and forth — can be silenced from outside with no password and no login. The people who go after this are competitors or aggrieved former insiders who want to disrupt deals and deliveries, attention-seeking pranksters and hacktivists, and intruders who want to briefly knock out monitoring and logging to hide a separate, main attack. What they take is not the data itself but the everyday certainty that file exchange "just works." The moment a single crafted request is sent in, Serv-U goes down and file transfers inside and outside the company are halted on the spot.

When the service stops, the damage does not end at one downed box. Delivery files, invoices, and order data fail to arrive on schedule, leading to delays and apologies to partners and a loss of trust. More troubling is the pattern where the outage is used as a "diversion" — staged while staff and attention are consumed by recovery, so the attacker can push the real ransomware or data theft. Serv-U has a history of being used as a foothold in ransomware attacks, so an outage is not necessarily a standalone nuisance.

And the loss from the downed service, plus the cleanup, lands on the IT team that operates the file-transfer backbone. They end up shouldering the business loss from the outage, breaches of service-level promises (SLAs) with partners, the burden of root-cause analysis and recovery, and the accountability of "why was this left unpatched." CISA ordered federal agencies to remediate by June 19 precisely because this is not a "we'll get to it someday" matter but one where attacks are happening now. More than the CVSS 7.5 or the "DoS" label, it is the fact that exploitation has already begun that decides whether you act now.

Why SolarWinds Serv-U keeps getting targeted

This is not the first time Serv-U has drawn attackers. CISA's KEV catalog already lists three earlier Serv-U flaws. In 2021, a remote-code-execution flaw (CVE-2021-35211) was confirmed to have been used in ransomware attacks, and in 2024 a path-traversal flaw (CVE-2024-28995) that lets file contents be read was added. This CVE-2026-28318 is Serv-U's fourth KEV entry.

The backdrop is the nature of managed file transfer. MFT is placed facing the internet to exchange large files with outside parties, and a company's important data passes through it daily. To an attacker, it is an ideal target: "reachable directly from the net, halts business if taken down, and may yield the contents too." The same kind of file-transfer and file-sharing backbones — IBM Aspera and Gladinet Triofox — have also seen serious flaws surface in recent months.

On top of that, the name SolarWinds carries the history of 2020, when the company's monitoring product became the launch point of a massive supply-chain attack. SolarWinds products remain a priority for attacker research, and it is realistic to assume that a product like Serv-U, which keeps landing on KEV, will see each new flaw quickly weaponized.

From disclosure to confirmed exploitation

This flaw landed on KEV just one day after it was added to the database. The fix is already out, but it is in an actively exploited state. Here is the timeline.

← Swipe to move

It is already being exploited: how to weigh the risk and the window

To put it plainly, what this flaw causes is a "service outage," not a data leak or a full server takeover (code execution). Unlike the remote-code-execution flaws in Serv-U that have landed on KEV before, which hand over the whole server, this one does not. The fact that data is not stolen is the first thing to keep in mind.

What you cannot dismiss, though, is that the service can be taken down without authentication, over the network, and with no user interaction, and that it is already being used in real attacks. CISA adds items to KEV not when exploit code merely exists in theory but when actual exploitation has been observed. The outage of file transfer is itself a direct business loss, and as noted there is also the concern of it being used to mask another attack. With exploitation confirmed, "no data leaks, so it can wait" is too heavy a call to make.

CISA ordered federal agencies to remediate by June 19, 2026. That order is for federal agencies, but with exploitation confirmed, it is a reasonable benchmark for private firms to move with the same urgency. Organizations running an internet-facing Serv-U should treat this date as their own deadline. As with recent flaws in everyday software, whether you notice that "a backbone you rely on needs updating" and apply the fix quickly is what separates being hit from not.

What to do right now

For organizations running Serv-U, the core action is applying the hotfix. The steps are as follows.

Check the version of your running Serv-U; if it is earlier than 15.5.4-hotfix-1, treat it as affected
Apply 15.5.4-hotfix-1 by following the official SolarWinds advisory and the release notes
If you cannot apply it right away, reduce the attack surface — do not expose the Serv-U management interface (web/HTTP) directly to the internet; limit it to the internal network or VPN, and restrict source IPs
Strengthen logging and uptime monitoring to catch service crashes and suspicious POST requests
Until remediation is complete, consider "discontinuing use of the product" as an option, as CISA indicates

In particular, if you run Serv-U with its web management or file-exchange endpoint exposed to the internet, raise the priority and act. This attack succeeds simply by sending a crafted request to that exposed endpoint, so the longer it remains reachable from outside, the higher the risk. If you operate multiple Serv-U instances, inventory them and roll out the update across all of them to be sure.

FAQ

Q. Can files or data be stolen through this flaw?

No. CVE-2026-28318 is a denial-of-service (DoS) flaw that stops the server. The CVSS breakdown shows the impact is on availability only (no impact on the confidentiality or integrity of information). Data theft and code execution do not occur, but the outage itself is a business loss, and there is a concern it may be used as a diversion for another attack.

Q. Which version should I update to?

Update to 15.5.4-hotfix-1 or later. The base 15.5.4 (without the hotfix) is also affected. SolarWinds' official advisory and release notes lay out the affected versions and the steps to apply the fix.

Q. Is it already being used in attacks?

Yes. On June 5, 2026, the U.S. CISA added this flaw to its KEV catalog as one used in real-world attacks and required federal agencies to remediate by June 19. A KEV listing means actual exploitation has been observed.

Q. What if I cannot apply the hotfix immediately?

Avoid exposing Serv-U's management and file-exchange endpoints directly to the internet; limit them to a VPN or the internal network and restrict the source addresses to reduce the attack surface. Also strengthen uptime monitoring and review logs for suspicious traffic. If you still cannot remediate in time, consider discontinuing use of the product, as CISA indicates.

Conclusion

CVE-2026-28318 is a flaw in the enterprise file-transfer backbone SolarWinds Serv-U that lets an attacker take the service down by sending a single crafted request without authentication. The impact is limited to denial of service (DoS) — no data theft or server takeover — but the U.S. CISA confirmed it is "actively exploited," added it to KEV on June 5, 2026, and ordered federal agencies to remediate by June 19, making it a high-urgency case.

The fix, 15.5.4-hotfix-1, is already out. Organizations running Serv-U should check their version and apply the hotfix, and if they cannot do so immediately, take interim steps such as limiting internet exposure. This is Serv-U's fourth KEV entry; the surest defense is to operate on the assumption that file-transfer backbones keep being targeted, and to make updating and monitoring a habit.