Active Exploitation of SolarWinds Serv‑U DoS Flaw (CVE‑2026‑28318) Crashes Servers Across Federal and Private Sectors
What Happened — CISA confirmed that threat actors are actively exploiting a high‑severity denial‑of‑service vulnerability (CVE‑2026‑28318) in SolarWinds Serv‑U file‑transfer software. The flaw allows unauthenticated attackers to send specially‑crafted POST requests that crash the service. Over 12 000 Internet‑exposed Serv‑U instances have been identified, and exploitation is already observed in the wild.
Why It Matters for TPRM —
- Unpatched Serv‑U servers can experience abrupt service outages, disrupting critical business processes.
- The vulnerability is being weaponised by both criminal and state‑aligned groups, raising the risk of broader supply‑chain impact.
- Federal directives now mandate patching by June 19 2026, but many private‑sector vendors remain exposed.
Who Is Affected — Organizations that deploy SolarWinds Serv‑U for Managed File Transfer, including federal agencies, MSPs, SaaS providers, and enterprises across finance, healthcare, and manufacturing.
Recommended Actions —
- Verify that all Serv‑U instances are upgraded to version 15.5.4 Hotfix 1 or later.
- If immediate patching is not possible, restrict inbound traffic to known IP ranges and block POST requests containing the “Content‑Encoding” header.
- Conduct a rapid inventory of all exposed Serv‑U servers and assess their exposure to the CVE.
Technical Notes — The flaw stems from uncontrolled resource consumption triggered by a crafted Content‑Encoding: deflate POST request. No authentication is required, and the attack can be launched remotely with low complexity. CVE‑2026‑28318 is catalogued in CISA’s Known Exploited Vulnerabilities list. Source: BleepingComputer