SolarWinds Serv-U CVE-2026-28318: DoS Now Exploited at Scale
Serv-U DoS Now Actively Exploited
CISA added CVE-2026-28318, an unauthenticated denial-of-service flaw in SolarWinds Serv-U, to its Known Exploited Vulnerabilities catalog on June 5, 2026 — one day after the vendor shipped a patch. Attackers can crash any unpatched instance with a single crafted POST request. No credentials required. No user interaction needed. Shodan counts over 12,000 of these servers facing the internet. The math writes itself.
The vulnerability is technically straightforward, which makes it dangerous. A remote attacker sends a POST request with the header Content-Encoding: deflate to an HTTP/HTTPS listener on the file-transfer platform. The server attempts to decompress the payload, consumes uncontrolled resources, and crashes. The application does not actually need Content-Encoding support for its file-transfer functionality. The feature is dead code that just became a weapon.
What CVE-2026-28318 Actually Does
CVE-2026-28318 is classified as an uncontrolled resource consumption vulnerability. SolarWinds rates it high severity. The attack surface is the web listener — the same component that handles HTTP/HTTPS file transfers via the web client interface.
The exploit chain is minimal:
- Attacker identifies a vulnerable server with the web interface exposed (HTTP or HTTPS).
- Sends a POST request containing the header
Content-Encoding: deflatewith a crafted body. - The application attempts to decompress the payload, spirals into resource exhaustion.
- The service crashes — all file-transfer protocols served by that instance go down (HTTP, HTTPS, FTP, FTPS, SFTP).
No authentication. No privileges. Low complexity. No user interaction. Every condition that makes a vulnerability attractive to mass exploitation is present — a pattern we have seen recently with Microsoft Defender under active exploit and the Exchange OWA zero-day.
SolarWinds confirmed the details in its security advisory and shipped version 15.5.4 Hotfix 1 on June 4, 2026.
CISA’s KEV Entry and the Clock
CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on June 5, 2026, citing active exploitation in the wild. Under Binding Operational Directive 22-01, federal agencies must patch by June 19, 2026. CISA explicitly urged private-sector organizations to follow suit.
The two-week remediation window is standard for BOD 22-01, but the real deadline is shorter. This is file-transfer infrastructure — the kind of system that sits at the network perimeter and handles sensitive data flows. Every hour it remains unpatched is a window for either DoS disruption or reconnaissance that could chain into other attacks.
CISA’s language is worth noting: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” That phrasing signals observed activity, not theoretical risk.
Exposure Numbers Tell the Story
Shodan currently indexes over 12,000 instances exposed to the internet. Shadowserver tracks an additional 3,100+. Neither number tells you how many are patched. Given that the hotfix is 48 hours old at the time of writing, the safe assumption is that most are not.
| Metric | Value |
|---|---|
| Instances on Shodan | 12,000+ |
| Instances on Shadowserver | 3,100+ |
| Authentication required | No |
| CVSS severity | High |
| Patch available | Yes — 15.5.4 Hotfix 1 |
| CISA KEV deadline | June 19, 2026 |
These are managed file transfer servers. They move financial records, healthcare data, legal documents, and government files. A DoS condition against MFT infrastructure is not a nuisance — it is a business continuity event.
Recurring Target: A Five-Year Pattern
This file-transfer platform has been a recurring target for both state-sponsored and criminal actors. This is not a one-off event. It is a pattern.
In 2021, the Clop ransomware group exploited CVE-2021-35211, a remote code execution flaw, to breach corporate networks and exfiltrate data. The same CVE was exploited by Chinese threat group DEV-0322 in zero-day attacks starting in July 2021.
In June 2024, CVE-2024-28995, a path-traversal vulnerability, was tagged as actively exploited by both GreyNoise and Rapid7. That flaw allowed attackers to read arbitrary files on the server.
CISA has now flagged 11 SolarWinds vulnerabilities across its product line as actively exploited. That track record matters for defenders prioritizing patch cycles. SolarWinds products are not theoretical targets — they are proven, repeat targets.
Immediate Mitigation: Block Before Patching
For organizations that cannot deploy version 15.5.4 Hotfix 1 immediately, SolarWinds recommends a WAF rule as a compensating control:
- Block POST requests containing the string “content-encoding” in the request headers at the web application firewall or reverse proxy layer.
- Limit access to the web interface to known IP addresses where possible.
- Deploy the hotfix — 15.5.4 Hotfix 1 — as soon as maintenance windows allow.
The WAF rule is effective because legitimate file-transfer operations do not use Content-Encoding. Blocking it has zero functional impact. If your WAF team needs a signature, pattern-match on the header name Content-Encoding in inbound POST requests to any listener.
Additionally, defenders should audit whether web interfaces need to be internet-facing at all. Many deployments expose HTTP/HTTPS listeners for client convenience when SFTP or VPN-tunneled access would serve the same purpose with a smaller attack surface.
Broader Implications for MFT Security
CVE-2026-28318 is a single vulnerability in a single product. But it illustrates a systemic problem with managed file transfer infrastructure that security teams should internalize.
MFT servers sit at the organizational boundary. They must be reachable by external partners, clients, and sometimes the public. That perimeter position makes them high-value targets. They handle sensitive data. They often run on legacy protocols. And they are frequently maintained by operations teams rather than security teams, which means patching cycles can be slow.
The attack pattern is consistent: find a parsing bug in the HTTP/FTP listener, exploit it without authentication, achieve either DoS or code execution. This product line has been hit three times in five years with variations on this theme. Other MFT vendors — Accellion (Kiteworks), GoAnywhere (Fortra), MOVEit (Progress) — have faced similar targeting with far worse outcomes.
For security leaders, the takeaway is structural: treat MFT as critical infrastructure, not as a file-sharing commodity. That means dedicated vulnerability scanning, aggressive patch SLAs, network segmentation, and redundancy planning for DoS scenarios. If your organization needs a broader framework, our guide to cloud security best practices for 2026 covers the foundational controls.