CISA Warns Hackers Exploit Patched SolarWinds Serv-U Flaw

CISA warned that hackers are actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers. The vulnerability is tracked as CVE-2026-28318.

CISA adds Serv-U flaw to Known Exploited Vulnerabilities Catalog. Days after SolarWinds addressed the vulnerability, CISA flagged it as exploited in the wild and added it to the catalog. The agency ordered all Federal Civilian Executive Branch agencies to patch their servers by June 19 as mandated by Binding Operational Directive 22-01.

While the directive applies only to U.S. government agencies, CISA urged all network defenders including the private sector to secure networks against ongoing CVE-2026-28318 attacks as soon as possible.

Serv-U vulnerability enables unauthenticated denial-of-service attacks. SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday to patch the denial-of-service vulnerability stemming from an uncontrolled resource consumption weakness. The company said Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate.

Remote attackers can exploit the security flaw without privileges in low-complexity attacks that do not require user interaction.

SolarWinds issues temporary mitigations for unpatched systems. SolarWinds advised admins who cannot immediately deploy the patch to limit access to known addresses. The company also recommended blocking any POST request containing "content-encoding" since the vulnerable Serv-U service does not require this functionality.

CISA warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. It advised applying mitigations per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.

Thousands of Serv-U servers remain exposed online. The Internet intelligence platform Shodan currently tracks over 12,000 Serv-U servers exposed online. Internet security watchdog Shadowserver tracks just over 3,100.

There is no information on how many have already been patched.

Serv-U flaws repeatedly targeted by multiple threat actors. In recent years, multiple cybercrime and state-backed hacking groups have targeted vulnerabilities in Serv-U to steal sensitive corporate and customer data. For instance, the Clop ransomware gang exploited a Serv-U remote code execution vulnerability in a 2021 campaign while DEV-0322 Chinese hackers deployed exploits in zero-day attacks starting in July 2021.

More recently in June 2024, GreyNoise and Rapid7 tagged a Serv-U path-traversal vulnerability as actively exploited. Over the past several years, CISA has tagged 11 vulnerabilities across various SolarWinds products as actively exploited in attacks, one of which has also been abused by ransomware gangs.