SolarWinds Serv-U DoS Flaw Actively Exploited, CISA Warns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly exploited SolarWinds Serv-U vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, signaling active targeting of organizations running vulnerable versions of the managed file transfer platform.

The vulnerability, tracked as CVE-2026-28318, does not allow attackers to remotely execute code or escalate privileges. Instead, it enables unauthenticated attackers to crash affected servers through specially crafted requests, creating a denial-of-service (DoS) condition that can disrupt critical business operations.

Adding the vulnerability to the KEV Catalog is an important reminder that cybersecurity risks extend beyond data theft and system compromise. Availability remains a fundamental pillar of information security, and attackers continue to exploit weaknesses that can disrupt services, even when they cannot directly gain control of a target system.

SolarWinds disclosed CVE-2026-28318 as a vulnerability affecting Serv-U Managed File Transfer and Serv-U Secure FTP products. According to the vendor, the flaw stems from uncontrolled resource consumption triggered by malformed POST requests. An unauthenticated attacker can exploit the vulnerability remotely, causing the Serv-U process to terminate unexpectedly and potentially rendering file transfer services unavailable.

The vulnerability received a CVSS score of 7.5, placing it within the high-severity category. Unlike many actively exploited vulnerabilities that focus on confidentiality or integrity impacts, CVE-2026-28318 primarily affects system availability. Successful exploitation can interrupt file transfer operations and potentially affect organizations that rely on Serv-U for mission-critical data exchanges.

SolarWinds addressed the vulnerability with Serv-U version 15.5.4 Hotfix 1 and urged customers to immediately upgrade affected systems. The vendor's security advisory notes that the flaw impacts multiple Serv-U deployments and recommends applying the latest available fixes without delay to eliminate exposure.

While vendors regularly publish security advisories, the security community pays particular attention when CISA adds a vulnerability to the KEV Catalog. Inclusion in the catalog indicates that CISA has confirmed evidence of active exploitation in the wild.

According to reporting from BleepingComputer, attackers have already begun exploiting CVE-2026-28318 against vulnerable Serv-U installations. The observed activity involves malicious requests designed to crash target servers, creating service interruptions without requiring authentication.

The exploitation trend demonstrates a growing reality facing defenders. Attackers increasingly target vulnerabilities that provide operational impact even when they do not immediately lead to system compromise. Service disruptions can damage productivity, interrupt supply chains, delay customer transactions, and create opportunities for follow-on attacks while security teams focus on restoring affected services.

For organizations that depend on managed file transfer systems to move sensitive information between business units, partners, customers, or government agencies, even temporary outages can create significant operational consequences.

Why CISA Added the Vulnerability to the KEV Catalog

CISA maintains the KEV Catalog as a centralized repository of actively exploited vulnerabilities. The catalog helps organizations prioritize remediation efforts by distinguishing between theoretical risks and vulnerabilities that attackers are actively weaponizing. According to CISA, organizations should use the KEV Catalog as a critical input into vulnerability management and patch prioritization programs.

On June 5, 2026, CISA added CVE-2026-28318 to the catalog after confirming active exploitation. The agency's action immediately elevated the vulnerability's priority across federal networks and sent a clear warning that remediation should not wait.

The decision reflects a broader trend in vulnerability management. Security teams often face thousands of disclosed vulnerabilities each year, making it impossible to address every issue immediately. The KEV Catalog helps organizations focus resources on vulnerabilities that present the highest real-world risk because attackers are already exploiting them. When a vulnerability enters the catalog, it effectively moves from a potential threat to a confirmed threat.

The addition of CVE-2026-28318 to the KEV Catalog also activates requirements established under CISA's Binding Operational Directive (BOD) 22-01.

Issued to reduce risk across Federal Civilian Executive Branch agencies, BOD 22-01 requires federal organizations to identify and remediate vulnerabilities listed in the KEV Catalog within prescribed deadlines. The directive was created in response to repeated incidents in which known vulnerabilities remained unpatched long after fixes became available, providing attackers with easily exploitable entry points.

Under the directive, federal agencies must either remediate affected systems or remove vulnerable products from operation before the assigned deadline. For CVE-2026-28318, agencies have been directed to address the vulnerability by June 19, 2026, leaving little time to act.

Although BOD 22-01 applies specifically to federal agencies, private-sector organizations frequently use the KEV Catalog and associated remediation timelines as guidance for their own vulnerability management programs. Many security teams view KEV inclusion as a practical indicator that a vulnerability should receive immediate attention regardless of formal regulatory requirements.

Availability-focused vulnerabilities often receive less attention than flaws enabling ransomware deployment, credential theft, or remote code execution. However, the operational consequences of service disruptions can be severe.

Modern organizations increasingly rely on automated file transfer systems to support business-critical workflows. Financial institutions exchange transaction data, healthcare providers transfer patient information, manufacturers share operational files, and government agencies move sensitive records across distributed environments.

When these services become unavailable, organizations may experience:

• Delayed business operations and transaction processing
• Interruptions to partner and supplier communications
• Reduced employee productivity
• Increased operational recovery costs
• Potential compliance and contractual issues

The exploitation of CVE-2026-28318 illustrates how attackers can create significant disruption without breaching a network or stealing data. In some scenarios, a successful denial-of-service attack may serve as a distraction while threat actors pursue additional objectives elsewhere in the environment.

For security leaders, this reality underscores the importance of evaluating vulnerabilities by operational impact rather than focusing solely on confidentiality risks.

Organizations running SolarWinds Serv-U should immediately assess their exposure and determine whether affected versions are still deployed in their environments. Security teams should prioritize remediation efforts now based on the vulnerability's active exploitation status.

Key defensive actions include:

• Upgrade to SolarWinds Serv-U 15.5.4 Hotfix 1 or later.
• Review internet-facing Serv-U deployments for exposure.
• Restrict access to Serv-U services where operationally feasible.
• Monitor logs for unusual POST request activity targeting Serv-U servers.
• Incorporate KEV Catalog monitoring into vulnerability management processes.

Organizations should also review broader asset inventories to ensure managed file transfer systems are included in routine vulnerability scanning and patch management workflows.