CVE-2026-28318: CISA KEV-Listed SolarWinds Serv-U Unauthenticated DoS Actively Exploited — 12,000+ Internet-Exposed Instances, FCEB Deadline June 19

CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5, confirming active in-the-wild exploitation of an unauthenticated denial-of-service flaw in SolarWinds Serv-U. Attackers can crash the file-transfer service without credentials by sending a specially crafted HTTP POST request using the Content-Encoding: deflate header, forcing uncontrolled resource consumption. Shodan tracks over 12,000 internet-exposed Serv-U instances and the fix — Serv-U 15.5.4 Hotfix 1 — requires a separate hotfix install even for administrators who recently upgraded to 15.5.4. Federal agencies face a June 19 remediation deadline; no threat actor attribution or ransomware linkage has been confirmed, though Serv-U has historically been weaponized by Cl0p and Chinese state actors.

Shodan tracks over 12,000 internet-exposed Serv-U instances and the fix — Serv-U 15.5.4 Hotfix 1 — requires a separate hotfix install even for administrators who recently upgraded to 15.5.4.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.