CISA Warns of Active Exploitation of SolarWinds Serv-U Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that threat actors are actively exploiting a recently patched vulnerability in SolarWinds Serv-U, a widely used managed file transfer and FTP server solution. The flaw, tracked as CVE-2026-28318, allows unauthenticated attackers to send specially crafted requests that can crash vulnerable servers, resulting in a denial-of-service (DoS) condition.

Vulnerability Details

SolarWinds Serv-U is deployed across thousands of organizations globally, making this vulnerability a significant concern for the cybersecurity community. The vulnerability affects the server's ability to process specially crafted HTTP requests with specific content-encoding headers, allowing remote attackers to crash the service without authentication.

CVE ID: CVE-2026-28318
Severity: High (DoS condition)
Attack Vector: Network (unauthenticated)
Affected Software: SolarWinds Serv-U versions prior to 15.5.4 Hotfix 1

Remediation Steps

SolarWinds has addressed the issue in Serv-U version 15.5.4 Hotfix 1 and has urged organizations to apply the update immediately. The vendor recommends the following actions:

• Priority Action: Update all Serv-U installations to version 15.5.4 Hotfix 1 or later
• Network Segmentation: Restrict access to Serv-U servers to only authorized users and networks
• WAF Rules: Block malicious POST requests that use the affected content-encoding feature
• Monitoring: Implement intrusion detection system (IDS) rules to identify exploit attempts
• Logging: Enable detailed logging on Serv-U servers to track suspicious activity

Temporary Workarounds

For environments where patching is not yet possible, the following workarounds can help reduce risk:

• Implement rate limiting on Serv-U ports to reduce DoS impact
• Deploy a reverse proxy or load balancer to filter malicious requests
• Restrict inbound access using firewall rules to known IP addresses only
• Monitor CPU and memory usage for signs of DoS attacks

Why This Matters

With thousands of Serv-U servers still exposed online, security teams should prioritize remediation efforts. This is an active threat that is being exploited in the wild, making it critical to address without delay. Organizations should:

• Conduct an inventory of all Serv-U installations across their environment
• Assess the exposure level of each server to the internet
• Develop an expedited patching plan with clear timelines
• Test patches in a staging environment before production deployment
• Communicate the timeline to stakeholders and executives

How Threat Hunting Can Help

At Threat Hunting, our SOCaaS platform helps organizations detect and respond to threats like this more efficiently:

• Threat Intelligence: We track active exploits and provide real-time alerts when CVEs matching your infrastructure are identified
• Threat Hunting: Our security experts proactively search for signs of exploitation and compromise in your environment
• Incident Response: If your organization is impacted, our team can assist with rapid response and remediation
• Vulnerability Management: Integrated scanning helps identify affected systems across your environment