Overview
- CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog after reporting evidence of active exploitation, and it directed Federal Civilian Executive Branch agencies to fix affected systems by June 19.
- SolarWinds released Serv-U 15.5.4 Hotfix 1 on June 4–5 to address an uncontrolled resource consumption bug that allows specially crafted POST requests using Content-Encoding: deflate to crash the Serv-U service without authentication.
- The vulnerability can be triggered by low-complexity, unauthenticated requests that do not require user interaction, so defenders are urged to apply the patch immediately or use recommended mitigations such as limiting access to trusted addresses and blocking POST requests with a content-encoding header.
- Internet scan platforms report thousands of Serv-U instances exposed online, with Shodan showing over 12,000 and Shadowserver reporting just over 3,100, though there is no public count of how many remain unpatched or have been compromised.
- Attribution and the scale of successful attacks remain unclear, but past Serv-U flaws were abused by ransomware and state-linked actors, so the listing signals higher risk to file-transfer operations and could cause service disruptions while defenders respond.