CISA: Hackers Now Exploit SolarWinds Serv-U Flaw to Crash Servers
Managed File Transfer (MFT) servers are critical infrastructure, expected to handle sensitive data reliably. CISA recently added a new SolarWinds Serv-U vulnerability to their Known Exploited Vulnerabilities Catalog, allowing unauthenticated attackers to crash the server with a single request.
This is a straightforward denial-of-service (DoS) flaw, observed in active attacks.
Technical Details: SolarWinds Serv-U Vulnerability CVE-2026-28318
A DoS vulnerability, CVE-2026-28318, affects SolarWinds Serv-U, their file transfer software for Windows and Linux, encompassing both MFT and FTP server capabilities. The vulnerability stems from uncontrolled resource consumption.
The attack chain is straightforward: an attacker sends a specially crafted POST request to a Serv-U server, utilizing the Content-Encoding: deflate header. When Serv-U attempts to process this malformed request, the service enters a resource consumption loop, leading to a crash. This attack aligns with MITRE ATT&CK technique T1499 (Resource Exhaustion), where an adversary consumes system resources to cause a denial of service.
This low-complexity attack requires no authentication or special privileges, allowing any actor to take the file transfer service offline. While data integrity is maintained, the service's availability is compromised, halting all transfer operations due to this Serv-U vulnerability.
The Broader Impact of the SolarWinds Serv-U Vulnerability
Serv-U has been a consistent target. A path-traversal flaw (CVE-2024-28995) was exploited recently, preceded by the Clop ransomware gang and Chinese state-backed hackers (DEV-0322) exploiting a remote code execution zero-day (CVE-2021-35211) in 2021. SolarWinds products have accumulated 11 CISA-tagged actively exploited vulnerabilities.
This DoS vulnerability immediately disrupts operations. Businesses relying on Serv-U for internal transfers, partner exchanges, or customer uploads will see those operations cease immediately. CISA's Binding Operational Directive (BOD) 22-01 mandates federal agencies patch this by June 19, a deadline that highlights CISA's serious assessment of the risk.
With over 12,000 Serv-U servers identified online by Shodan and more than 3,100 by Shadowserver, the exposure to this SolarWinds Serv-U vulnerability is substantial. This large number of exposed servers presents a significant attack surface for such a low-complexity DoS.
<img src="
Mitigating the SolarWinds Serv-U Vulnerability Risk
SolarWinds has released Serv-U 15.5.4 Hotfix 1. For current Serv-U deployments, applying this patch is the primary mitigation.
If immediate patching is not feasible, interim mitigations include:
- Network Access Control: Restrict network access to the Serv-U server to known, trusted IP addresses. While this does not prevent an attacker already within the network, it significantly reduces external exposure.
- WAF/Edge Blocking: Implement rules at the network edge or on a web application firewall (WAF) to block any POST request containing "content-encoding". This directly defends against the exploit at the protocol level.
While these measures offer temporary protection, applying the official patch is the definitive solution.
<img src="
Persistent SolarWinds Serv-U Vulnerability Patterns
This latest Serv-U vulnerability highlights how even simple flaws can have significant operational impact. The ease with which critical infrastructure like a file transfer server can be crashed unauthenticated demands a re-evaluation of perimeter defenses and patching schedules.
The persistent pattern of exploitation against Serv-U necessitates a proactive security posture. Organizations should treat these systems as high-value targets, prioritizing consistent patching and implementing network-level controls to intercept attacks before they reach the service. Given its track record, relying solely on the application's built-in defenses is no longer a viable strategy, especially given the recurring nature of SolarWinds Serv-U vulnerabilities.
