CISA Warns Organizations to Patch SolarWinds Serv-U Immediately

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability affecting SolarWinds Serv-U to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation in the wild. The flaw, tracked as CVE-2026-28318, allows unauthenticated attackers to crash vulnerable Serv-U servers, potentially disrupting critical file transfer operations.

Security experts are urging organizations using SolarWinds Serv-U to apply available patches immediately, as the vulnerability is already being weaponized by threat actors.

What Is CVE-2026-28318?

CVE-2026-28318 is an uncontrolled resource consumption vulnerability that affects SolarWinds Serv-U Managed File Transfer (MFT) and secure file server software. The flaw carries a CVSS score of 7.5 (High Severity) and can be exploited remotely without authentication.

According to SolarWinds, attackers can send specially crafted HTTP POST requests containing the Content-Encoding: deflate header, causing the Serv-U service to crash and resulting in a denial-of-service (DoS) condition.

Why the KEV Addition Matters

CISA's Known Exploited Vulnerabilities Catalog includes security flaws that have been observed being actively exploited by cybercriminals. When a vulnerability is added to the KEV list, it signals a heightened threat level and often prompts urgent remediation efforts across both government and private sectors.

Federal Civilian Executive Branch (FCEB) agencies have been directed to remediate the vulnerability by June 19, 2026, under Binding Operational Directive (BOD) 22-01.

While the directive specifically applies to U.S. federal agencies, cybersecurity professionals recommend that all organizations running affected Serv-U instances prioritize patching due to the confirmed exploitation activity.

Affected Software

The vulnerability impacts SolarWinds Serv-U file transfer software used by enterprises to securely transfer and manage files across networks.

Organizations should upgrade to SolarWinds Serv-U version 15.5.4 HF1, which includes the official security fix for CVE-2026-28318.

Mitigation and Workarounds

For organizations unable to patch immediately, SolarWinds has recommended several temporary mitigation measures:

  • Restrict access to trusted IP addresses only.
  • Block HTTP requests containing the Content-Encoding header.
  • Monitor Serv-U services for unexpected crashes or disruptions.
  • Review logs for suspicious POST requests targeting Serv-U servers.
  • Deploy the latest Serv-U security updates as soon as possible.

Although no public details have been released regarding the threat actors exploiting the flaw, the confirmed in-the-wild activity increases the urgency for defenders to take action.

SolarWinds Serv-U Remains a Frequent Target

SolarWinds Serv-U has a history of attracting attention from cybercriminals due to its role in handling sensitive file transfers. Previous vulnerabilities affecting the platform have been exploited by ransomware groups and state-sponsored actors, making prompt patch management essential for organizations relying on the software.

With over thousands of internet-exposed Serv-U instances potentially accessible online, unpatched systems may become attractive targets for opportunistic attackers seeking to disrupt business operations.

Security Takeaway

The addition of CVE-2026-28318 to CISA's KEV Catalog serves as a strong warning that exploitation is already underway. Organizations using SolarWinds Serv-U should immediately assess their exposure, apply the latest security updates, and implement recommended mitigations to reduce the risk of service disruption.

As threat actors continue to target file transfer platforms, maintaining an effective patch management strategy remains one of the most critical defenses against emerging cyber threats.