An uncontrolled resource consumption vulnerability in SolarWinds Serv-U, tracked as CVE-2026-28318, allows unauthenticated attackers to crash the Serv-U service by sending crafted POST requests with the Content-Encoding: deflate header. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on June 5, 2026 with a federal agency remediation deadline of June 19, 2026. Active exploitation has been confirmed.
What Is the Vulnerability?
CVE-2026-28318 is an uncontrolled resource consumption vulnerability in SolarWinds Serv-U — the managed file transfer (MFT) and FTP server software deployed in enterprise environments for secure, automated, and ad-hoc file exchange. Specially crafted POST requests using the Content-Encoding: deflate header can trigger excessive resource consumption that crashes the Serv-U service without any authentication required.
While the vulnerability itself is a denial of service, the CISA KEV addition with confirmed active exploitation signals that this is being used as part of a broader attack chain. Attackers may be crashing Serv-U instances to: (1) disable secure file transfer capabilities during ransomware attacks, preventing organisations from transferring backup files or incident response data; (2) mask other malicious activity by disrupting logging and monitoring of file transfers; or (3) force service restarts that may load malicious configurations.
Serv-U is deployed across government, financial services, healthcare, and enterprise environments for compliance-mandated secure file transfers. A crashed Serv-U instance disrupts critical business workflows including payroll file transfers, financial data exchange, healthcare claims processing, and supply chain data integration.
- CISA KEV: Added June 5, 2026 — federal agency deadline June 19, 2026
- Attack Vector: Network — unauthenticated crafted POST request
- Status: Actively exploited
Which Versions Are Affected?
- SolarWinds Serv-U — affected versions. Consult the SolarWinds advisory for specific version ranges and fixed releases.
Is It Being Exploited in the Wild?
Yes — CISA KEV addition and independent reports confirm active exploitation. Attackers are sending crafted POST requests to crash unpatched Serv-U instances without authentication. The June 19 deadline provides 14 days to patch from the KEV addition — organisations should patch well before the deadline.
What Is the Fix?
Apply the SolarWinds Serv-U security update. The fix adds proper resource consumption controls for POST requests with the Content-Encoding: deflate header. After updating, verify the Serv-U version and confirm the service is stable. Review Serv-U logs for unusual POST request patterns from unrecognised IP addresses.
Recommendations
Patch Serv-U well before the June 19 deadline. Confirmed active exploitation means every day unpatched is a day the service can be crashed by attackers. Serv-U should already be restricted to trusted networks — verify that the management interface and FTP/S services are not exposed to the internet.
Monitor Serv-U availability. Implement monitoring for Serv-U service crashes and unexpected restarts. Configure alerts for service downtime — a crash may indicate an active exploitation attempt.
Review file transfer workflows. If Serv-U is critical to business operations, ensure you have a contingency plan for file transfers during service outages. Consider deploying redundant Serv-U instances or alternative transfer methods as a resilience measure.
References
- CISA Known Exploited Vulnerabilities Catalog — CVE-2026-28318
- Vulnerability Intelligence Report — June 6, 2026 (initial KEV coverage)
- Vulnerability Intelligence Report — June 10, 2026
This advisory is part of the CISA Known Exploited Vulnerabilities (KEV) tracking series. CVE-2026-28318 was added to KEV on June 5, 2026. For a comprehensive view of all active threats, refer to the latest Vulnerability Intelligence Report.
