The U.S. **Cybersecurity and Infrastructure Security Agency (CISA)** has today warned that threat actors are actively exploiting a critical, recently patched flaw in **SolarWinds Serv-U** file transfer software. ### The Critical Serv-U DoS Flaw The vulnerability, identified as **CVE-2026-28318**, is a high-severity denial-of-service (DoS) flaw stemming from an uncontrolled resource consumption weakness. **SolarWinds** released **Serv-U 15.5.4 Hotfix 1** on Thursday to address this issue. According to **SolarWinds**, the flaw makes **Serv-U** susceptible to specially crafted POST requests that can crash the service without requiring authentication. These attacks leverage `Content-Encoding: deflate` headers. Remote attackers can exploit this security flaw with low complexity, requiring no privileges or user interaction. **Serv-U** is **SolarWinds'** file transfer solution for Windows and Linux, offering Managed File Transfer (MFT) and FTP server capabilities for secure file exchange via HTTP/HTTPS, FTP, FTPS, and SFTP. ### Active Exploitation and CISA's Directive Days after **SolarWinds** released its patch, **CISA** flagged **CVE-2026-28318** as being actively exploited in the wild. The agency promptly added it to its **Known Exploited Vulnerabilities Catalog**, mandating that all Federal Civilian Executive Branch agencies patch their servers by June 19, in accordance with **Binding Operational Directive (BOD) 22-01**. While **BOD 22-01** specifically targets U.S. government entities, **CISA** has strongly urged all network defenders, including those in the private sector, to secure their networks against ongoing attacks leveraging **CVE-2026-28318** without delay. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," **CISA** stated. "Apply mitigations per vendor instructions, follow applicable **BOD 22-01** guidance for cloud services, or discontinue use of the product if mitigations are unavailable." ### Mitigation Strategies For administrators unable to immediately deploy the patch, **SolarWinds** advises limiting access to **Serv-U** to known, trusted IP addresses. Additionally, blocking any POST requests containing `content-encoding` can serve as a temporary mitigation, as the vulnerable **Serv-U** service does not require this functionality. Internet intelligence platforms indicate a significant attack surface: **Shodan** tracks over 12,000 **Serv-U** servers exposed online, while **Shadowserver** identifies just over 3,100. The number of these servers that have already been patched remains unknown. .jpg) *Serv-U servers exposed online (Shodan)* ### A History of Serv-U Vulnerabilities **SolarWinds Serv-U** has been a recurring target for cybercrime groups and state-backed hackers. In recent years, multiple critical vulnerabilities have been exploited to gain access to sensitive corporate and customer data. For instance, in 2021, the **Clop** ransomware gang exploited a **Serv-U** remote code execution (RCE) vulnerability, **CVE-2021-35211**, to breach corporate networks. Concurrently, Chinese hacking group **DEV-0322** also utilized exploits for **CVE-2021-35211** in zero-day attacks. More recently, in June 2024, cybersecurity firms **GreyNoise** and **Rapid7** observed active exploitation of another **Serv-U** flaw, a path-traversal vulnerability tracked as **CVE-2024-28995**. ### The Broader SolarWinds Attack Surface Over the past several years, **CISA** has cataloged 11 vulnerabilities across various **SolarWinds** products as actively exploited in attacks, with at least one also being abused by ransomware gangs. This history underscores the critical importance for organizations using **SolarWinds** products to maintain rigorous patching schedules and implement robust security measures.