Summary
- SolarWinds Serv-U CVE-2026-28318 can allow unauthenticated specially crafted POST requests to crash the service.
- CISA has added the vulnerability to its Known Exploited Vulnerabilities catalogue after evidence of active exploitation.
- The issue affects availability rather than direct data theft, but managed file transfer remains a sensitive operational dependency.
SolarWinds customers are being urged to apply a Serv-U hotfix after US cyber authorities added a denial-of-service vulnerability in the file-transfer software to the Known Exploited Vulnerabilities catalogue.
The vulnerability, CVE-2026-28318, affects SolarWinds Serv-U and can allow unauthenticated attackers to crash the service using specially crafted POST requests with the Content-Encoding: deflate header. SolarWinds addressed the issue in Serv-U 15.5.4 Hotfix 1 and has provided mitigation guidance for customers unable to deploy the update immediately.
The US Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalogue after evidence of active exploitation. NVD data lists the issue as an uncontrolled resource consumption vulnerability with a CVSS v3.1 score of 7.5, affecting Serv-U versions before 15.5.4 and the 15.5.4 release without the hotfix.
The technical impact is availability, not direct code execution or confirmed data theft. That distinction matters operationally. Serv-U is used for managed file transfer, FTP, FTPS, SFTP, and web-based file exchange. In many organisations, file-transfer services sit behind regulated workflows, supplier exchanges, legal transfers, healthcare data movement, financial operations, software distribution, or business-to-business integration.
A denial-of-service flaw in that layer can disrupt more than a single application. File-transfer systems often provide the connective tissue between internal systems and third parties. They may move batch files, reports, claims, invoices, clinical data, engineering packages, customer exports, or operational records. When those services become unavailable, downstream processes can fail even if no data has been stolen.
The SolarWinds name carries a long shadow in cyber risk governance, although this vulnerability is materially different from the 2020 Orion supply chain compromise. Treating every SolarWinds advisory as the same type of incident would be inaccurate. Widely deployed infrastructure software, particularly when internet-facing and operationally important, still attracts rapid attention once a vulnerability becomes known.
Managed file transfer remains a high-sensitivity category after repeated attacks against products such as MOVEit and GoAnywhere. Those campaigns involved different vulnerabilities and different impact, but they changed how boards, insurers, and regulators view file-transfer infrastructure. Systems that were once seen as back-office utilities now sit inside supplier-risk, data-transfer, and operational-resilience discussions.
Remediation work should begin with identifying Serv-U deployments, confirming whether 15.5.4 Hotfix 1 is applied, prioritising internet-facing systems, restricting exposure where feasible, and reviewing logs for unusual crashes or POST requests matching the vulnerable condition. Where organisations cannot quickly answer whether they run Serv-U, or whether suppliers run it on their behalf, the issue becomes an asset-management and third-party assurance problem.
European and UK organisations are not directly bound by CISA’s federal remediation rules, but the KEV catalogue has become a practical prioritisation signal beyond the US public sector. Vulnerabilities listed there are known to be exploited, and many enterprise patching programmes use KEV status as a trigger for accelerated remediation.
Availability belongs inside cyber resilience. Not every exploited vulnerability leads to ransomware or data theft. Some create service failure at points where business processes, regulated transfers, and supplier dependencies are concentrated. In those environments, denial of service can still become a material operational event.





