Active Exploitation of High-Severity SolarWinds Serv-U Flaw Urges Immediate Remediation

Summary

CISA has recently updated its Known Exploited Vulnerabilities (KEV) Catalog by adding CVE-2026-28318, a vulnerability affecting SolarWinds Serv-U. This vulnerability allows attackers to crash the service using specially crafted POST requests without needing authentication. The CVSS score of 7.5 indicates high severity, primarily due to the potential for denial-of-service attacks. CISA's Binding Operational Directive (BOD) 22-01 mandates federal agencies to remediate such vulnerabilities promptly. While this directive applies specifically to Federal Civilian Executive Branch (FCEB) agencies, CISA advises all organizations to act swiftly in addressing these vulnerabilities.

What Happened

SolarWinds Serv-U has been identified as susceptible to a vulnerability that allows attackers to crash the service by sending specially crafted POST requests with "Content-Encoding: deflate." This issue was added to CISA's KEV Catalog on June 5, 2026. The vulnerability does not require authentication for exploitation, making it particularly dangerous and easy to exploit.

Technical Details

The vulnerability exploits a flaw in how Serv-U handles HTTP POST requests that include the "Content-Encoding: deflate" header. This allows attackers to crash the service without needing any credentials or additional permissions. SolarWinds has provided detailed mitigation steps, including configuring web access firewalls to block such requests and applying a hotfix for affected versions.

Affected Products and Fixed Versions

The vulnerability affects Serv-U versions 15.5.4 and below. SolarWinds has released Serv-U 15.5.4 Hotfix 1 to address this issue. Customers using the affected versions are advised to apply this hotfix immediately.

Exploitation Status

CISA's addition of CVE-2026-28318 to its KEV Catalog confirms active exploitation by malicious actors. This underscores the urgency for organizations to implement mitigation measures and apply available patches.

Indicators of Compromise

While specific indicators of compromise (IOCs) are not detailed in the sources, organizations should monitor for unusual POST requests containing "Content-Encoding: deflate" headers targeting their Serv-U installations.

Detection Opportunities

Organizations can detect potential exploitation attempts by configuring their web access firewalls to log and alert on POST requests with "Content-Encoding: deflate." This proactive measure can help identify and block malicious traffic before it impacts the service.

Mitigation Steps

SolarWinds recommends several mitigation steps:

• Configure web access firewalls to block POST requests containing "content-encoding."
• Apply Serv-U 15.5.4 Hotfix 1 to affected installations.
• Regularly review firewall logs for suspicious activity related to this vulnerability.

What Remains Unclear

While the sources provide detailed information on the vulnerability and mitigation steps, they do not specify which organizations have been targeted or the extent of the exploitation. Additionally, there is no mention of any specific malware associated with this attack vector.

Defender Guidance

Defenders should prioritize applying Serv-U 15.5.4 Hotfix 1 to all affected installations. They should also configure their web access firewalls to block POST requests containing "content-encoding" and monitor logs for any suspicious activity. Regularly reviewing and updating security configurations will help mitigate the risk of exploitation.

Proof of Concept

A working proof-of-concept is published at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28318. This resource provides detailed information on how the vulnerability can be exploited and tested.