Critical SolarWinds Serv-U Vulnerability Exploited: Immediate Patching Urged by CISA

Summary

CISA has escalated concerns over a SolarWinds Serv-U vulnerability by adding it to its Known Exploited Vulnerabilities catalog, indicating active exploitation. The flaw, identified as CVE-2026-28318, allows attackers to perform denial-of-service attacks via specially crafted POST requests without needing authentication. This vulnerability affects versions 15.4.2, 15.5, and 15.5.1 of Serv-U, which have reached End-of-Life status. SolarWinds has released a hotfix in version 15.5.4 Hotfix 1 to address this issue.

What Happened

The vulnerability was disclosed by SolarWinds, who described it as a denial-of-service (DoS) flaw that can be exploited through specially crafted POST requests containing the 'Content-Encoding: deflate' header. This allows attackers to crash the Serv-U service without requiring authentication. The flaw has been addressed in Serv-U 15.5.4 Hotfix 1, and SolarWinds advises all users, including those who recently upgraded to version 15.5.4, to install this hotfix immediately.

Affected Products and Fixed Versions

The vulnerability affects specific versions of the SolarWinds Serv-U product:

• Affected Versions: 15.4.2, 15.5, 15.5.1
• Fixed Version: 15.5.4 Hotfix 1

Users of affected versions are advised to upgrade to a supported release as soon as possible.

Exploitation Status

While SolarWinds's advisory does not confirm exploitation in the wild, CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, indicating evidence of active exploitation. It remains unclear who is behind these attacks or whether the vulnerability was exploited as a zero-day.

Indicators of Compromise

The specific indicators of compromise (IOCs) for this vulnerability are not detailed in the sources provided. However, monitoring for unusual POST requests containing the 'Content-Encoding: deflate' header could be a potential detection strategy.

Detection Opportunities

Organizations can enhance their defenses by implementing network traffic analysis to detect and block suspicious POST requests targeting the Serv-U service. Additionally, deploying intrusion detection systems (IDS) configured to alert on such patterns may help in early identification of exploitation attempts.

Defender Guidance

1. Apply the Hotfix: All users should immediately download and install Serv-U 15.5.4 Hotfix 1 from SolarWinds.
2. Upgrade EoL Versions: Users of versions 15.4.2, 15.5, and 15.5.1 must upgrade to a supported release as these have reached End-of-Life status.
3. Monitor Network Traffic: Implement monitoring for unusual POST requests with the 'Content-Encoding: deflate' header targeting Serv-U services.

What Remains Unclear

• The identity of the attackers exploiting this vulnerability remains unknown.
• It is not confirmed whether the vulnerability was exploited as a zero-day before being patched.

Organizations should remain vigilant and prioritize patching to mitigate potential risks associated with this vulnerability.