U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SolarWinds Serv-U flaw, tracked as CVE-2026-28318 (CVSS ver 3.1 score of 7.5), to its Known Exploited Vulnerabilities (KEV) catalog. SolarWinds Serv-U is a managed file transfer (MFT) and secure file server platform developed by SolarWinds
The CVE-2026-28318 flaw is an unauthenticated denial-of-service (DoS) vulnerability affecting SolarWinds Serv-U. The issue allows a remote attacker to send a specially crafted HTTP POST request using the Content-Encoding: deflate header, causing the Serv-U service to crash without requiring valid credentials.
Successful exploitation can disrupt file transfer operations and make the service unavailable to legitimate users. SolarWinds has released security updates to address the vulnerability and recommends applying them as soon as possible. For organizations unable to deploy the patch immediately, mitigation measures are available through the SolarWinds Trust Center.
“SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate.” reads the advisory.
The flaw affects SolarWinds Serv-U 15.5.4 and earlier; Serv-U 15.5.4 HF1 addressed the issue.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by June 19, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
