CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers

Staff Editor 2026-06-05
CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers

CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers

https://www.bleepingcomputer.com/news/security/cisa-hackers-now-exploit-solarwinds-serv-u-flaw-to-crash-servers/

Publish Date: 2026-06-05 15:15:00

Source Domain: www.bleepingcomputer.com

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.

Serv-U is the company’s Windows and Linux file transfer software that offers Managed File Transfer (MFT) and FTP server capabilities, which allow users to securely exchange files via HTTP/HTTPS, FTP, FTPS, and SFTP.

SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday to patch this denial-of-service vulnerability (tracked as CVE-2026-28318) and said it stems from an uncontrolled resource consumption weakness.

image

“SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate,” the company said.

Remote attackers can exploit the security flaw without privileges in low-complexity attacks that don’t require user interaction.

SolarWinds also advised admins who can’t immediately deploy the patch to limit access to known addresses and to block any POST request containing “content-encoding,” since the vulnerable Serv-U service does not require this functionality.

The Internet intelligence platform Shodan currently tracks over 12,000 Serv-U servers exposed online, and Internet security watchdog Shadowserver just over 3,100, but there is no information on how many have already been patched.

Serv-U servers exposed onlineServ-U servers exposed online (Shodan)

​Days after SolarWinds addressed the vulnerability, CISA flagged it as exploited in the wild and added it to the Known Exploited Vulnerabilities Catalog, ordering all Federal Civilian Executive Branch agencies to patch their servers against ongoing attacks by June 19, as mandated by Binding Operational Directive (BOD) 22-01.

While BOD 22-01 applies only to U.S. government agencies, the cybersecurity agency also urged all network defenders, including the private sector, to secure their networks against ongoing CVE-2026-28318 attacks as…

Source

More Stories

Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05
A First Step to Unpacking Cyber, Deception, and Intelligence Contests

A First Step to Unpacking Cyber, Deception, and Intelligence Contests

Staff Editor 2026-06-05
Mythos rejuvenated cybersecurity. Earnings put the rally to the test

Mythos rejuvenated cybersecurity. Earnings put the rally to the test

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy