Emerging ThreatsMalware & Ransomware

Hackers Actively Exploit SolarWinds Serv-U Flaw to Crash Servers

Analyst 207||Source: BleepingComputer
Server room with networked equipment and a single server in the foreground.
"SolarWinds Serv‑U is susceptible to specially crafted POST requests that crash the Serv‑U service without authentication using Content‑Encoding: deflate," SolarWinds warned in its advisory after issuing an emergency hotfix.

CVE-2026-28318 and SolarWinds' Hotfix

SolarWinds released Serv‑U 15.5.4 Hotfix 1 on Thursday to address a denial‑of‑service vulnerability tracked as CVE‑2026‑28318. The vendor said the flaw stems from an uncontrolled resource consumption weakness and that the specially crafted requests use the HTTP header Content‑Encoding: deflate to crash the Serv‑U service. Serv‑U is SolarWinds' file transfer product for Windows and Linux that offers Managed File Transfer (MFT) and FTP server capabilities and supports HTTP/HTTPS, FTP, FTPS, and SFTP.

How attackers can exploit the Serv‑U flaw

CISA warned that hackers are actively exploiting the recently patched flaw to crash servers. According to SolarWinds' advisory and CISA's bulletin, remote attackers can trigger the crash without authentication, in low‑complexity attacks that require no user interaction. SolarWinds advised administrators who cannot immediately deploy the hotfix to limit access to known addresses and to block any POST request containing "content‑encoding," noting the vulnerable Serv‑U service does not require that functionality.

CISA action: Known Exploited Vulnerabilities Catalog and the June 19 deadline

Days after SolarWinds released the hotfix, CISA flagged CVE‑2026‑28318 as exploited in the wild and added it to the Known Exploited Vulnerabilities Catalog. The agency has ordered all Federal Civilian Executive Branch agencies to patch affected servers against ongoing attacks by June 19, under the requirements of Binding Operational Directive 22‑01. CISA emphasized the broader risk, stating: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," and urged teams to "apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Exposure and scale: what internet scanning shows

Public internet intelligence platforms show thousands of Serv‑U installations reachable from the internet. Shodan currently tracks over 12,000 Serv‑U servers exposed online, while Shadowserver reports just over 3,100. The reporting notes there is no public information on how many of those instances have already received the hotfix or other mitigations.

Historical pattern: prior Serv‑U exploits and actor profiles

CISA and the reporting point to a repeated pattern: multiple cybercrime and state‑backed groups have targeted Serv‑U vulnerabilities in past campaigns to steal sensitive corporate and customer data. Examples cited include the Clop ransomware gang's exploitation of a Serv‑U remote code execution vulnerability (CVE‑2021‑35211) during a 2021 campaign and DEV‑0322's deployment of the same CVE in zero‑day attacks beginning in July 2021. More recently, cybersecurity firms GreyNoise and Rapid7 labeled a Serv‑U path‑traversal flaw (CVE‑2024‑28995) as actively exploited in June 2024. CISA has tagged 11 vulnerabilities across various SolarWinds products as actively exploited over the past several years, one of which was also abused by ransomware gangs.

What this means for federal agencies, private network defenders, and administrators

  • Federal agencies: the directive is clear — apply the patch or mitigations by June 19 under BOD 22‑01; CISA has placed CVE‑2026‑28318 on the Known Exploited Vulnerabilities Catalog to enforce that requirement.
  • Private network defenders: CISA urged the private sector to secure networks against ongoing attacks as soon as possible, even though the binding deadline applies only to federal civilian agencies.
  • System administrators and operators of Serv‑U instances: if immediate patching is not possible, follow SolarWinds' mitigation guidance — restrict access to known addresses and block POST requests containing "content‑encoding" — because the vulnerable service does not require that header.

SolarWinds has issued a hotfix and CISA has imposed a federal deadline; the practical question that remains is whether operators of the thousands of publicly exposed Serv‑U servers will apply the fix or mitigations before June 19. The counts from Shodan and Shadowserver make clear the window for action is narrow, and CISA's placement of CVE‑2026‑28318 on the Known Exploited Vulnerabilities Catalog ensures the vulnerability will remain a priority for federal systems in the coming days.

Source: BleepingComputer — CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers

Emerging ThreatsExploitNation-StateSolarwindsVulnerabilityDenial Of ServiceManaged File TransferCVE-2026-28318Serv-UFile Transfer ProtocolHTTP Header
Related Intelligence

Continue Reading

Dimly lit software development workspace with laptop, notes, and coffee cups.

Malware Worms Infect npm Ecosystem in Dual Supply Chain Attacks

Meet IronWorm, a sneaky Rust-based malware that's infecting the npm ecosystem by scraping sensitive secrets from developers' machines and spreading through poisoned packages. This stealthy threat hides behind an eBPF kernel rootkit and communicates with its operators over Tor.

Analyst 207
Rows of equipment racks and patch panels in a brightly-lit office network closet.

Chinese APT Exploits New Malware to Prolong Network Access

A Chinese-linked espionage group, tracked as UNC5221 or VerdantBamboo, exploited new malware to secretly maintain access to US networks for over 18 months, evading detection by blending in with legitimate traffic. The attackers used a sophisticated backdoor called Brickstorm to prolong their stay undetected.

Analyst 207
Network router in a dimly lit server room setting.

Cisco SD-WAN Zero-Day Under Active Attack

Cisco SD-WAN is under siege from a zero-day vulnerability that's being actively exploited - and there's no patch in sight, leaving sys admins scrambling to protect their networks.

Analyst 207
Smartphone on cluttered desk in Middle Eastern-style room with Arabic patterns, beside newspapers and manual.

ESET Exposes Android Spyware Asin Targeting Arabic Users

Malicious apps masquerading as legitimate tools have been targeting Arabic-speaking Android users, packing stealthy spyware capabilities that allow them to siphon off sensitive information. These fake apps, part of a spyware cluster called Asin, are being spread through fraudulent websites and social accounts.

Analyst 207