A No-Authentication Crash Flaw Is Already Being Used in the Wild
SolarWinds Serv-U has a new problem, and attackers didn’t wait long to start using it. Within days of SolarWinds releasing a patch, the U.S. Cybersecurity and Infrastructure Security Agency confirmed that CVE-2026-28318 is being actively exploited — a denial-of-service vulnerability that lets remote attackers crash Serv-U servers without supplying any credentials at all.
What makes this particularly uncomfortable is the attack surface. Serv-U runs on both Windows and Linux and handles file transfers across HTTP/HTTPS, FTP, FTPS, and SFTP. Organizations running it often do so for sensitive data movement — the kind of infrastructure where unexpected downtime creates serious operational pressure, and where attackers know disruption carries leverage.
What the Vulnerability Actually Does
The flaw traces back to an uncontrolled resource consumption weakness. An attacker sends a specially crafted POST request that includes Content-Encoding: deflate in the header — a detail that matters because, according to SolarWinds, the Serv-U service doesn’t actually require or use that functionality. The result is a crashed service, achievable without authentication, without elevated privileges, and without requiring any interaction from a user on the target system.
SolarWinds rated this as high severity. The low-complexity nature of the attack — no special tooling, no chained exploits — means the barrier to exploitation is minimal. An attacker doesn’t need to know anything about the target organization beyond that it runs an exposed Serv-U instance.
The fix arrived in Serv-U 15.5.4 Hotfix 1, released Thursday. For administrators who cannot immediately apply the patch, SolarWinds outlined two interim steps: restrict service access to known, trusted IP addresses, and block any POST request containing the string “content-encoding” at the network or application layer. Neither workaround eliminates the underlying vulnerability, but both reduce the attack surface meaningfully while a patch window is arranged.
The internet exposure picture is not small. Shodan currently tracks over 12,000 Serv-U servers reachable from the public internet, while Shadowserver’s count sits at just over 3,100. There’s no available data on how many of those instances have already received the hotfix.
CISA’s Response and the Federal Deadline
CISA moved quickly. After SolarWinds published the patch, the agency added CVE-2026-28318 to its Known Exploited Vulnerabilities Catalog and issued a mandate under Binding Operational Directive 22-01: all Federal Civilian Executive Branch agencies must patch affected Serv-U deployments by June 19.
BOD 22-01 applies specifically to U.S. federal agencies, not the private sector. But CISA explicitly extended its guidance beyond that boundary, urging network defenders across industries to treat this as an active threat requiring immediate action. The agency’s language was direct: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
CISA also outlined what to do if patching isn’t immediately feasible: apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or stop using the product entirely if no mitigation path exists. That last option — discontinue use — reflects how seriously the agency is treating ongoing exploitation, not just theoretical risk.
Serv-U Has Been Here Before
This isn’t the first time Serv-U has landed at the center of a significant exploitation campaign. The platform has a documented history of being targeted by both financially motivated criminal groups and state-linked threat actors.
In 2021, the Clop ransomware gang exploited CVE-2021-35211, a remote code execution vulnerability in Serv-U, to breach corporate networks at scale. That same vulnerability was used in zero-day attacks starting in July 2021 by DEV-0322, a Chinese threat actor tracked by Microsoft. The overlap — a criminal ransomware group and a state-linked actor both weaponizing the same Serv-U flaw within months of each other — illustrated how quickly a working exploit migrates across different threat ecosystems once it’s proven effective.
More recently, in June 2024, GreyNoise and Rapid7 both flagged active exploitation of CVE-2024-28995, a path-traversal vulnerability in Serv-U. That flaw allowed attackers to read files from affected servers without authentication — a different attack class than denial-of-service, but consistent with the broader pattern of Serv-U becoming a repeated point of interest for attackers scanning for file transfer infrastructure.
Across all SolarWinds products, CISA has now tagged 11 separate vulnerabilities as actively exploited in real-world attacks. At least one of those has been used directly by ransomware operators.
What Administrators Should Do Right Now
The immediate priority is straightforward: apply Serv-U 15.5.4 Hotfix 1.
For environments where that’s not immediately possible, the two mitigations SolarWinds outlined — IP allowlisting and blocking POST requests with content-encoding headers — should be implemented at the firewall or reverse proxy layer as a holding measure. These controls won’t survive a determined attacker who can spoof an allowed IP or find an alternate path, but they reduce opportunistic exploitation risk while patching is scheduled.
It’s also worth auditing which Serv-U instances in your environment are actually internet-facing. Given that Shodan indexes over 12,000 exposed servers, a meaningful portion of those are likely reachable in ways their administrators may not have intended or reviewed recently. If Serv-U doesn’t need to be publicly accessible — if it’s serving internal file transfer workflows only — pulling it behind a VPN or firewall rule costs little and removes a large portion of the risk immediately.
The June 19 federal deadline provides a useful internal benchmark even for private-sector organizations. If a U.S. government agency is expected to patch within that window, treating it as an external pressure test for your own remediation cycle is reasonable. CVE-2026-28318 requires no credentials, no user interaction, and no technical sophistication to exploit — the kind of vulnerability that shows up in automated scanning toolkits within days of public disclosure, which is already where the timeline stands.
