"SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate," SolarWinds said in an advisory released earlier this week.
CVE-2026-28318: a denial-of-service triggered by Content-Encoding: deflate
The vulnerability, tracked as CVE-2026-28318 and assigned a CVSS score of 7.5, is a denial-of-service (DoS) defect that forces the Serv-U service to crash under specific conditions. CISA described the issue as an "uncontrolled resource consumption vulnerability that results in a DoS condition." According to SolarWinds, the problem is triggered by specially crafted HTTP POST requests that include a Content-Encoding header set to "deflate," and the service does not require that functionality.
SolarWinds patch and vendor mitigations: Serv-U 15.5.4 HF1
SolarWinds has released a fix in Serv-U version 15.5.4 HF1. As immediate mitigations, the vendor advises limiting access to known addresses and blocking any request containing "content-encoding," reflecting the fact that the vulnerable Serv-U deployment does not require that header. The vendor statement and the version number are the concrete technical steps SolarWinds has published to address the flaw.
CISA’s KEV listing and the federal remediation order
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. CISA has also ordered Federal Civilian Executive Branch (FCEB) agencies to address the flaw by June 19, 2026. The KEV listing signals that CISA believes real-world exploitation is occurring and has set a firm remediation timeline for federal agencies.
Open operational questions and a record of prior Serv-U exploitation
Public reporting so far does not include technical details about how the vulnerability is being exploited in the wild, nor does it identify the actor or actors carrying out those operations. It is also unclear whether any internet-exposed Serv-U instances are currently compromised, and if so how many. The advisory notes that multiple prior Serv-U vulnerabilities have been exploited by bad actors in the past, including those associated with the Cl0p ransomware gang, underscoring that Serv-U has been a repeated target.
What this means for technologists, FCEB agencies, and threat actors
- Technologists and security teams: Deploy the SolarWinds update to Serv-U 15.5.4 HF1 where feasible, and apply the vendor’s mitigations — restrict access to known addresses and block requests containing "content-encoding" — in environments where an immediate patch is not possible.
- Federal Civilian Executive Branch (FCEB) agencies: Comply with CISA’s ordered deadline and address the vulnerability by June 19, 2026, per the agency’s KEV directive.
- Threat actors and opportunistic attackers: CISA’s KEV listing notes evidence of active exploitation; past Serv-U flaws have been leveraged by groups including those associated with Cl0p, which signals ongoing interest in Serv-U products as an operational target.
The facts in the record are straightforward: a high-severity Serv-U flaw that can crash the service via specially crafted POST requests exists, SolarWinds has issued a fix in 15.5.4 HF1 and recommended immediate mitigations, and CISA has elevated the issue into its KEV catalog while compelling federal agencies to act by June 19, 2026. What remains unclear — and matters for response pacing and risk assessments — is the scope and mechanics of the active exploitation CISA cited and whether any internet-facing instances have been compromised.
