The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers. This vulnerability, tracked as CVE-2026-28318, stems from an uncontrolled resource consumption weakness in Serv-U, the company's Windows and Linux file transfer software.
Vulnerability Details
SolarWinds Serv-U offers Managed File Transfer (MFT) and FTP server capabilities, allowing users to securely exchange files via HTTP/HTTPS, FTP, FTPS, and SFTP. The vulnerability can be exploited by remote attackers without privileges in low-complexity attacks that don't require user interaction. According to SolarWinds, Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate.
Mitigations and Recommendations
SolarWinds released Serv-U 15.5.4 Hotfix 1 to patch this denial-of-service vulnerability. The company advises admins who can't immediately deploy the patch to limit access to known addresses and to block any POST request containing "content-encoding," since the vulnerable Serv-U service does not require this functionality. CISA has flagged this vulnerability as exploited in the wild and added it to the Known Exploited Vulnerabilities Catalog, ordering all Federal Civilian Executive Branch agencies to patch their servers against ongoing attacks by June 19, as mandated by Binding Operational Directive (BOD) 22-01.
While BOD 22-01 applies only to U.S. government agencies, CISA also urged all network defenders, including the private sector, to secure their networks against ongoing CVE-2026-28318 attacks as soon as possible. The agency warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Previous Exploitation of Serv-U Vulnerabilities
In recent years, multiple cybercrime and state-backed hacking groups have targeted vulnerabilities in Serv-U to steal sensitive corporate and customer data. For instance, the Clop ransomware gang exploited a Serv-U remote code execution vulnerability (CVE-2021-35211) to breach corporate networks in a 2021 campaign. DEV-0322 Chinese hackers also deployed CVE-2021-35211 exploits in zero-day attacks starting in July 2021. More recently, in June 2024, cybersecurity companies GreyNoise and Rapid7 tagged a Serv-U path-traversal vulnerability (CVE-2024-28995) as actively exploited.
Over the past several years, CISA has tagged 11 vulnerabilities across various SolarWinds products as actively exploited in attacks, one of which has also been abused by ransomware gangs. The Internet intelligence platform Shodan currently tracks over 12,000 Serv-U servers exposed online, and Internet security watchdog Shadowserver just over 3,100, but there is no information on how many have already been patched.
Conclusion
The exploitation of the SolarWinds Serv-U flaw highlights the importance of prompt patching and mitigation of vulnerabilities. Network defenders should prioritize securing their networks against ongoing CVE-2026-28318 attacks and follow applicable BOD 22-01 guidance for cloud services. By taking proactive measures, organizations can reduce the risk of falling victim to malicious cyber actors and protect their sensitive data.
- Related Articles:
- Microsoft warns of new Defender zero-days exploited in attacks
- Critical SolarWinds Serv-U flaws offer root access to servers
- CISA flags new SD-WAN flaw as actively exploited in attacks
- New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute
- CISA warns of active attacks exploiting Android, Linux bugs
Source: BleepingComputer