Technical description
CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5, 2026. SolarWinds Serv-U (managed file transfer server) is susceptible to specially crafted, unauthenticated POST requests using 'Content-Encoding: deflate' that crash the Serv-U service — an uncontrolled resource consumption (CWE-400) flaw. The bug enables remote, unauthenticated denial-of-service against internet-facing file transfer infrastructure. SolarWinds Serv-U is used by enterprises for partner file exchange, financial data transfer, compliance workflows, and automated data pipelines.
Attack vector
Unauthenticated remote attacker sends a crafted POST request with Content-Encoding: deflate to the Serv-U service. No credentials, prior access, or user interaction required. Active exploitation has been confirmed.
Affected systems
SolarWinds Serv-U all versions prior to 15.5.4 Hotfix 1, and Serv-U 15.5.4 baseline (pre-hotfix). SolarWinds Serv-U is widely deployed in enterprise, healthcare, financial services, and government environments.
Mitigation
Apply SolarWinds Serv-U 15.5.4 Hotfix 1 immediately. Federal civilian agencies are required to remediate by June 19, 2026 per BOD 22-01. If patching is not immediately possible, SolarWinds has published interim mitigation steps in its Trust Center advisory. Consider restricting unauthenticated POST access at the network layer as a temporary control.