CISA warns – CISA says hackers are actively exploiting a patched SolarWinds Serv-U vulnerability to crash servers, urging rapid fixes before more outages and data-loss incidents follow.
For the third time this week, defenders are being forced to think about the same kind of emergency: not a breach they can’t see, but an exploit they can’t afford to ignore.
Today, the U.S. Cybersecurity and Infrastructure Security Agency warned that hackers are actively exploiting a recently patched high-severity flaw in SolarWinds Serv-U to crash servers.
Serv-U is SolarWinds’ Windows and Linux file transfer software, built for Managed File Transfer (MFT) and FTP server capabilities. It lets organizations securely exchange files via HTTP/HTTPS, FTP, FTPS, and SFTP.
The specific issue now under pressure is a denial-of-service vulnerability tracked as CVE-2026-28318. SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday to patch it. The company said the flaw stems from an uncontrolled resource consumption weakness.
SolarWinds’ description of the attack is direct: Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. In practice, remote attackers can exploit the security flaw without privileges, using low-complexity attacks that don’t require user interaction.
That “no privileges” detail matters. When a system can be knocked over without credentials, the damage is often immediate—and the recovery work can be brutal for teams trying to keep file transfers running.
SolarWinds also advised administrators who can’t deploy the patch right away to limit access to known addresses and to block any POST request containing “content-encoding,” since the vulnerable Serv-U service does not require this functionality.
The exposure picture is already troubling. The Internet intelligence platform Shodan currently tracks over 12,000 Serv-U servers exposed online, while Internet security watchdog Shadowserver just over 3,100. There’s no information available on how many of those systems have already been patched.
CISA’s concern isn’t theoretical. Days after SolarWinds addressed the vulnerability. CISA flagged it as exploited in the wild and added it to the Known Exploited Vulnerabilities Catalog. It also ordered all Federal Civilian Executive Branch agencies to patch their Serv-U servers against ongoing attacks by June 19. as mandated by Binding Operational Directive (BOD) 22-01.
BOD 22-01 applies only to U.S. government agencies, but CISA is urging network defenders everywhere to act. The agency said all network defenders—including those in the private sector—should secure their networks against ongoing CVE-2026-28318 attacks as soon as possible.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. ” CISA warned. It also instructed teams to apply mitigations per vendor instructions. follow applicable BOD 22-01 guidance for cloud services. or discontinue use of the product if mitigations are unavailable.
CISA’s broader history with SolarWinds flaws adds weight to the warning. In recent years, multiple cybercrime and state-backed hacking groups have targeted vulnerabilities in Serv-U to steal sensitive corporate and customer data.
One example is the Clop ransomware gang, which exploited a Serv-U remote code execution vulnerability (CVE-2021-35211) to breach corporate networks in a 2021 campaign. DEV-0322 Chinese hackers also deployed CVE-2021-35211 exploits in zero-day attacks starting in July 2021.
More recently, in June 2024, cybersecurity companies GreyNoise and Rapid7 tagged a Serv-U path-traversal vulnerability (CVE-2024-28995) as actively exploited.
Over the past several years, CISA has tagged 11 vulnerabilities across various SolarWinds products as actively exploited in attacks, one of which has also been abused by ransomware gangs.
In other words, today’s crash-focused warning sits inside a longer record of exploitation. And with thousands of Serv-U instances still visible on the open internet. the practical question now for administrators is simple: how quickly can they move from patching to safety—before attackers find the unpatched gaps that keep file transfer services under constant pressure.
CISA SolarWinds Serv-U CVE-2026-28318 denial of service cybersecurity file transfer Managed File Transfer FTP Shodan Shadowserver BOD 22-01