CISA Adds Actively Exploited SolarWinds Serv-U Denial-of-Service Vulnerability (CVE-2026-28318) to KEV Catalog
CISA Mandates Patch for Actively Exploited SolarWinds DoS Flaw Added to KEV Catalog
Related Entities
Organizations
Products & Tech
CVE Identifiers
MITRE ATT&CK Techniques
Full Report
Executive Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive after adding CVE-2026-28318, a critical vulnerability in SolarWinds Serv-U, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is an uncontrolled resource consumption flaw that enables an unauthenticated remote attacker to cause a denial-of-service (DoS) condition. Due to confirmed active exploitation, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must apply the patch or implement mitigations by June 19, 2026. SolarWinds has released Serv-U version 15.5.4 Hotfix 1 to address the issue. The vulnerability's presence in the KEV catalog signals a significant and immediate risk to all organizations utilizing the affected software.
Vulnerability Details
CVE-2026-28318 is an uncontrolled resource consumption vulnerability affecting SolarWinds Serv-U managed file transfer software. The flaw can be triggered by a remote, unauthenticated attacker, making it highly exploitable.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request containing the Content-Encoding: deflate header. The Serv-U service improperly handles this request, leading to excessive resource consumption (CPU and memory), which ultimately causes the service to crash and become unavailable. This constitutes a classic denial-of-service attack.
Affected Systems
- Product: SolarWinds Serv-U
- Affected Versions: All versions prior to 15.5.4 Hotfix 1
Exploitation Status
CISA has confirmed that CVE-2026-28318 is being actively exploited in the wild. The addition to the KEV catalog serves as official confirmation of this activity. Details about the threat actors exploiting the vulnerability have not been publicly disclosed, but the ease of exploitation suggests it could be used by a wide range of adversaries, from script kiddies to more sophisticated groups.
Impact Assessment
While a DoS vulnerability may not seem as severe as a remote code execution (RCE) flaw, the context of Serv-U's deployment makes it critical. The software is a self-hosted file transfer solution widely used by organizations in regulated and critical industries such as finance, healthcare, and government for secure data exchange. An extended outage of this service can lead to:
- Business Disruption: Inability to send or receive critical business files, disrupting operations.
- Compliance Violations: Failure to meet SLA requirements for data exchange with partners or regulatory bodies.
- Financial Loss: Direct financial impact from downtime and operational stoppage.
Given the history of past Serv-U vulnerabilities being exploited by state-sponsored actors and ransomware gangs, any actively exploited flaw in the product is a major concern. Attackers could use this DoS vulnerability to disrupt operations as a precursor to another attack or as part of an extortion campaign.
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
POST /Content-Encoding: deflateServ-U.exe1000Serv-U.exe.Detection Methods
- Vulnerability Scanning: Use a vulnerability scanner with updated plugins to actively scan for vulnerable instances of SolarWinds Serv-U in your environment.
- Log Analysis: In your SIEM, create detection rules to alert on a high frequency of POST requests to Serv-U servers, especially from a single source IP. Alert on any POST request containing the
Content-Encoding: deflateheader. This can be achieved with D3FEND'sNetwork Traffic Analysis (D3-NTA). - Endpoint Monitoring: Monitor the
Serv-U.exeprocess for high CPU or memory usage and unexpected terminations. EDR tools can be configured to alert on these conditions.
Remediation Steps
- Patch Immediately: The primary remediation is to upgrade to SolarWinds Serv-U version 15.5.4 Hotfix 1 or a later version. This should be treated as an emergency change.
- Apply Workaround (If Patching is Delayed): If immediate patching is not possible, SolarWinds recommends using a Web Application Firewall (WAF) as a compensating control. Configure the WAF to block all inbound HTTP POST requests that contain the
Content-Encodingheader. According to SolarWinds, this header is not required for normal Serv-U functionality. - Verification: After applying the patch or workaround, verify that the Serv-U service is running and accessible. Attempt to send a test file to confirm functionality has not been negatively impacted.
These steps align with the D3FEND countermeasure Software Update (D3-SU).
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
The most effective mitigation is to apply the security patch provided by SolarWinds to update the software to a non-vulnerable version.
Filter Network Traffic
As a workaround, use a WAF or network filter to block the specific malicious request pattern before it reaches the vulnerable server.
Data Backup
While not a direct prevention, having robust backups is critical in case a DoS attack is used as a diversion for a more destructive attack like ransomware.
D3FEND Defensive Countermeasures
The primary and most effective countermeasure is to immediately apply the patch from SolarWinds, upgrading Serv-U to version 15.5.4 Hotfix 1 or newer. Given that CVE-2026-28318 is being actively exploited and is listed in the CISA KEV catalog, patching should be considered an emergency action. Organizations should activate their incident response and emergency change management procedures to deploy this update. Prioritize patching for all internet-facing Serv-U instances first, followed by internal ones. After patching, it is crucial to verify that the update was successful and that the service is operating normally. Delaying this action leaves the organization exposed to service disruptions that could impact critical business operations.
For organizations unable to patch immediately, the recommended compensating control is to implement an inbound traffic filter using a Web Application Firewall (WAF). A specific WAF rule should be created to inspect all inbound HTTP POST requests destined for the Serv-U server. The rule must be configured to identify and block any request that contains the Content-Encoding: deflate header. This surgical filtering approach blocks the known attack vector without impacting legitimate traffic, as SolarWinds has confirmed this header is not needed for normal operation. This is a critical temporary mitigation that buys time for a proper patching cycle and directly prevents the exploitation of CVE-2026-28318.
Security teams should proactively hunt for exploitation attempts by analyzing network traffic to and from Serv-U servers. Configure network monitoring tools and SIEMs to alert on spikes in HTTP POST requests or any request containing the Content-Encoding: deflate header. This serves as a detection mechanism to identify if the organization is being targeted. Furthermore, by establishing a baseline of normal traffic patterns, security teams can more easily spot deviations that could indicate an attack. Even after patching, maintaining this detection capability is valuable for identifying future, unknown attacks against the platform.
Timeline of Events
SolarWinds discloses the vulnerability and releases Serv-U version 15.5.4 Hotfix 1.
CISA adds CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog.
Deadline for Federal Civilian Executive Branch (FCEB) agencies to apply patches or mitigations.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.