On June 5, 2026, CISA added vulnerability CVE-2026-28318 (CVSS 7.5) to the Known Exploited Vulnerabilities catalog, confirming that it is being actively exploited. The vulnerability affects SolarWinds Serv-U, a multi-protocol file server widely used for file transfers in corporate environments. An unauthenticated attacker can trigger a complete denial of service with a specially crafted HTTP request. Organizations using Serv-U must immediately install the 15.5.4 HF1 update or apply the recommended mitigations.
Technical analysis of the vulnerability
CVE-2026-28318 is classified as an uncontrolled resource consumption vulnerability (CWE-400) that leads to a denial-of-service condition. According to the SolarWinds security advisory, the attack vector is extremely simple: a specially crafted POST request with the Content-Encoding: deflate header sent to the Serv-U service causes the process to crash.
Key characteristics of the vulnerability:
- No authentication required — the attack is possible without any credentials
- CVSS score: 7.5 (high severity)
- Affected product: SolarWinds Serv-U (multi-protocol file server)
- Fixed in: version 15.5.4 HF1
- Exploitation status: listed in the CISA KEV catalog (active exploitation confirmed)
The low barrier to exploitation is noteworthy. The Content-Encoding: deflate header is a standard HTTP header, and crafting a malicious request does not require sophisticated tooling or deep technical expertise. At the same time, as the vendor notes, the Serv-U service does not need to process this header at all, which makes its presence in a request a reliable indicator of anomalous activity.
Threat context
At the time of publication, no public details are available about concrete exploitation scenarios for CVE-2026-28318. It is unknown which threat groups are behind the attacks and how many internet-exposed Serv-U instances have been compromised.
However, the historical context is worth noting. The SolarWinds Serv-U product has repeatedly been targeted by attackers. In particular, vulnerability CVE-2021-35211 was used by the TA505 group, associated with the Cl0p ransomware operators, to gain initial access to target systems. It is important to stress that there is currently no confirmed direct link between the ongoing exploitation of CVE-2026-28318 and any specific threat group.
Nevertheless, the very fact that attackers are once again focusing on Serv-U creates a consistent pattern: file transfer servers remain a priority target. They are often exposed to the internet, handle sensitive data, and frequently run outdated software versions.
Impact assessment
At first glance, a denial-of-service–type vulnerability may seem less critical than remote code execution. However, in the context of a file server that provides data transfer within an organization, the consequences can be significant:
- Business process disruption: interruption of file exchange between departments, partners, and customers
- Component of a complex attack: a DoS vulnerability can be used as a distraction while attackers penetrate via other vectors, or to force a service restart in a vulnerable configuration
- Repeatability: because authentication is not required, the attack can be automated and used to keep the service unavailable indefinitely
The highest risk is borne by organizations whose Serv-U instances are directly reachable from the internet without additional traffic filtering. U.S. federal civilian agencies are required to remediate the vulnerability by June 19, 2026 under CISA directives.
Mitigation recommendations
Response priority is high. Recommended actions:
- Install the update: upgrade SolarWinds Serv-U to version 15.5.4 HF1, in which the vulnerability is fixed
- Block the header at the network level: if immediate updating is not possible, configure a reverse proxy or WAF to block incoming requests that contain the
Content-Encodingheader. According to the vendor’s recommendations, Serv-U does not use this functionality, so blocking it will not affect legitimate operation - Restrict network access: allow connections to Serv-U only from known trusted IP addresses. If the service must be accessible from the internet, use allowlists
- Review logs: analyze web server logs for POST requests with the
Content-Encoding: deflateheader, especially from unknown sources and preceding unexpected service crashes - Reassess the need for external access: consider placing Serv-U behind a VPN if direct internet access is not strictly required
The inclusion of CVE-2026-28318 in the CISA KEV catalog despite the lack of public exploitation details indicates that attacks have already been observed, but information about them has not yet been fully disclosed. Organizations should not wait for detailed incident reports — upgrading to version 15.5.4 HF1 or blocking the Content-Encoding header at the network level should be carried out within days, not weeks.
