ADVISORY SUMMARY
CISA added CVE-2026-28318 (CVSS 7.5) to its Known Exploited Vulnerabilities catalog on June 5, 2026, confirming active in-the-wild exploitation of an uncontrolled resource consumption flaw in SolarWinds Serv-U file transfer software. Unauthenticated attackers can crash the Serv-U service by sending a specially crafted POST request using the Content-Encoding: deflate HTTP header, with no credentials required. The vulnerability is significant given Serv-U's history of exploitation by ransomware groups (including Cl0p) and nation-state actors, and FCEB agencies must remediate by June 19, 2026.
AFFECTED SYSTEMS
MITIGATION GUIDANCE
Apply SolarWinds Serv-U 15.5.4 Hotfix 1 immediately — this is the only complete fix. As a compensating control, block all HTTP requests containing the 'Content-Encoding' header at the WAF/perimeter layer, as the vulnerable Serv-U service does not require this functionality. Limit network access to Serv-U to known trusted IP ranges. Place Serv-U behind a VPN or reverse proxy with strong authentication where operationally feasible. Users on EoL versions (15.4.2, 15.5, 15.5.1) must upgrade to a supported branch before applying HF1.
DETECTION SIGNATURES
Review Serv-U service logs for repeated unexplained service crashes and restarts. Monitor for incoming POST requests with 'Content-Encoding: deflate' headers targeting the Serv-U HTTP listener. Alert on Serv-U process termination events (Windows Event ID 7034/7036 for service stops). Deploy IDPS signatures targeting malformed deflate-encoded POST payloads to Serv-U listener ports (typically TCP 443/8443/22/21). Check SolarWinds Trust Center advisory for any updated IOC indicators.
REFERENCES
- → https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- → https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318
- → https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html
- → https://nvd.nist.gov/vuln/detail/CVE-2026-28318