CISA adds SolarWinds Serv-U DoS to KEV, orders patches

The U.S. Cybersecurity and Infrastructure Security Agency added a high-severity vulnerability in SolarWinds Serv-U to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. The flaw is tracked as CVE-2026-28318 and carries a CVSS score of 7.5.

SolarWinds’ advisory describes the issue as uncontrolled resource consumption that can crash the Serv-U service. The vendor notes the server is vulnerable to “specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate.”

SolarWinds released a patch in Serv-U version 15.5.4 HF1 to address the flaw.

CISA directed Federal Civilian Executive Branch agencies to remediate the vulnerability by June 19, 2026. The agency’s KEV entry indicates active exploitation but does not identify which federal systems are affected or how many internet-facing Serv-U instances may be compromised.

SolarWinds and CISA recommend immediate mitigations for organizations that cannot apply the update. Administrators are advised to restrict Serv-U access to known addresses and to block requests containing the “Content-Encoding” header, because the affected service does not require that functionality.

There are no public technical details on exploit techniques or on the identity of attackers. Past vulnerabilities in Serv-U have been exploited in ransomware campaigns, including incidents attributed to the Cl0p group.

Organizations running Serv-U should verify their software version and apply the 15.5.4 HF1 update when possible, implement network-level access restrictions, and monitor server logs for abnormal POST requests or unexpected service crashes. Federal agencies must meet the June 19 remediation deadline.