The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.
This vulnerability, tracked as CVE-2026-28318, was addressed by SolarWinds in its Serv-U 15.5.4 Hotfix 1 release on Thursday. The patch is crucial for the security of affected systems, and CISA has emphasized that it should be applied immediately.
Serv-U is a Windows and Linux file transfer software developed by SolarWinds, offering Managed File Transfer (MFT) and FTP server capabilities. The vulnerability in question stems from an uncontrolled resource consumption weakness, which can be exploited by remote attackers without privileges in low-complexity attacks that don’t require user interaction.
SolarWinds advised administrators who cannot immediately deploy the patch to limit access to known addresses and block any POST request containing ‘content-encoding,’ since the vulnerable Serv-U service does not require this functionality.
According to Shodan, over 12,000 Serv-U servers are exposed online. However, there is no information on how many of these have already been patched. CISA has flagged the vulnerability as exploited in the wild and added it to the Known Exploited Vulnerabilities Catalog.
CISA ordered all Federal Civilian Executive Branch agencies to patch their servers against ongoing attacks by June 19, as mandated by Binding Operational Directive (BOD) 22-01. While BOD 22-01 applies only to U.S. government agencies, CISA urged all network defenders, including the private sector, to secure their networks against ongoing CVE-2026-28318 attacks as soon as possible.
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise, according to CISA. The agency warned that ‘Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.’
In recent years, multiple cybercrime and state-backed hacking groups have targeted vulnerabilities in Serv-U to steal sensitive corporate and customer data. For instance, the Clop ransomware gang exploited a Serv-U remote code execution vulnerability (CVE-2021-35211) to breach corporate networks in a 2021 campaign.
DEV-0322 Chinese hackers also deployed CVE-2021-35211 exploits in zero-day attacks starting in July 2021. More recently, in June 2024, cybersecurity companies GreyNoise and Rapid7 tagged a Serv-U path-traversal vulnerability (CVE-2024-28995) as actively exploited.
**Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.**
**Rules:**
- Keep the article grounded in the supplied draft and source reference.
- Fix weak titles, vague phrasing, and bad structure.
- Ensure the title clearly states the story, not the feed name.
- Keep the article between 400 and 900 words.
- Return JSON only with keys:
title
excerpt
content_markdown
tags
approved
quality_score
notes
- approved must be true or false.
- quality_score must be 1 to 100.
Source: Original article