CISA Adds SolarWinds Serv-U DoS Flaw to KEV Catalog

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- CISA added CVE-2026-28318, a high-severity SolarWinds Serv-U denial-of-service flaw with a CVSS score of 7.5, to its Known Exploited Vulnerabilities catalog citing active exploitation.
- SolarWinds described the bug as an uncontrolled resource consumption vulnerability triggered by specially crafted POST requests using
Content-Encoding: deflate, which crash the Serv-U service without authentication. - SolarWinds shipped a fix in Serv-U version 15.5.4 HF1 and recommended limiting access to known addresses and blocking any request containing
content-encoding, which the service does not require. - CISA gave Federal Civilian Executive Branch agencies until June 19, 2026 to remediate the flaw, with no public details on threat actors, exploitation scale, or number of exposed instances.
- SolarWinds Serv-U has a history of exploitation by threat actors associated with the Cl0p ransomware gang, making the lack of authentication and prior attacker interest a notable combination for defenders.
Why it matters: CISA is forcing federal agencies to act on a no-auth DoS flaw in a file-transfer product already targeted by ransomware groups, and the `content-encoding` mitigation is something any organization running Serv-U can apply immediately while scheduling the patch.




