CISA added a critical SolarWinds Serv-U flaw, CVE-2026-28318, to its Known Exploited Vulnerabilities catalog on June 5, 2026, with a remediation deadline of June 19 for federal agencies.
The vulnerability lets unauthenticated attackers crash Serv-U file transfer software remotely by sending a malicious POST request with a Content-Encoding: deflate header — no credentials required. That zero-privilege, network-accessible attack path makes it especially dangerous for organizations with Serv-U exposed to the internet.
SolarWinds has released a fix in version 15.5.4 Hotfix 1. All organizations should patch immediately, restrict Serv-U exposure behind a firewall or VPN, and monitor logs for suspicious POST requests.
Source: Cybersecurity News