CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity SolarWinds Serv-U Denial-of-Service (DoS) vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog following confirmed evidence of active exploitation. The directive requires Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by June 19, 2026, while private sector organizations are strongly urged to patch immediately.
The Vulnerability: CVE-2026-28318
Tracked as CVE-2026-28318, this unauthenticated DoS flaw carries a CVSS score of 7.5 and targets the Serv-U multi-protocol file server service. The vulnerability allows attackers to crash the Serv-U service by sending specially crafted POST requests that include the Content-Encoding: deflate header. No authentication is required, making it trivial to exploit at scale.
The attack works by triggering uncontrolled resource consumption within the Serv-U process. When the malformed request is received, the service attempts to process the deflate encoding but fails to handle the resource allocation properly, resulting in a complete service crash. This renders the file server unavailable until manual intervention restarts the service.
Why This Matters: The KEV Catalog Significance
CISA's KEV Catalog is not a routine advisory—it is a prioritized list of vulnerabilities that are actively being weaponized in the wild. Inclusion in the KEV catalog signals that:
- Exploitation Is Confirmed: This is not theoretical; attackers are actively using this flaw in real-world attacks - Remediation Is Mandatory for FCEB: Federal agencies face a hard deadline (June 19, 2026) to patch or face compliance consequences - Private Sector Should Prioritize: While not mandated, CISA's guidance makes clear that all organizations treating cybersecurity seriously should treat this as urgent
Remediation and Mitigation Options
SolarWinds has released a security update—Serv-U version 15.5.4 HF1—that addresses CVE-2026-28318. Organizations should prioritize this patch above all else.
For environments where immediate patching is not feasible, CISA and SolarWinds recommend the following mitigations:
- IP Access Restrictions: Limit Serv-U access to known, trusted IP addresses only. This reduces the attack surface by preventing unauthenticated connections from unknown sources - Block Content-Encoding Headers: Configure web application firewalls (WAFs) or reverse proxies to block any POST requests containing the content-encoding header. The vulnerable service does not require this functionality for legitimate operations - Monitor for Crash Events: Implement logging and alerting for unexpected Serv-U service terminations. Sudden crashes may indicate active exploitation attempts
Strategic Context: SolarWinds Under Renewed Scrutiny
This incident occurs against the backdrop of SolarWinds' long recovery from the catastrophic 2020 SUNBURST supply chain attack. While CVE-2026-28318 is not a supply chain compromise or remote code execution flaw, its addition to the KEV catalog reinforces that SolarWinds products remain high-value targets for adversaries.
For security teams, the lesson is clear: vendors with historical exposure attract persistent scrutiny from attackers. Every new vulnerability in their portfolio is assumed to be weaponized until proven otherwise.
The Bottom Line
CVE-2026-28318 is a straightforward DoS flaw, but its inclusion in the KEV catalog elevates it from a routine bug to a priority remediation item. For FCEB agencies, patching is mandatory within two weeks. For everyone else, the math is simple: an unauthenticated DoS that requires no user interaction and can be exploited en masse is exactly the kind of low-effort, high-impact attack that botnets and ransomware operators love. Patch now, mitigate if you must, but do not ignore this advisory. When CISA says "actively exploited," they mean it.
