Breach Horizon
vulnerabilities

SolarWinds Serv-U CVE-2026-28318: Patch Now

Breach Horizon EditorialJun 7, 20265 min readReviewed by Laurens Vanhaecke

What's Happening With SolarWinds Serv-U CVE-2026-28318

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on June 5, 2026, with a federal compliance deadline of June 19, 2026. If you're running SolarWinds Serv-U anywhere in your environment — as an MSP, an SMB, or an enterprise IT shop — stop reading the intro and start planning your patch window.

Here's the short version: an unauthenticated attacker can send a single specially crafted POST request to your Serv-U instance and crash the service. No credentials required. No prior access needed. Just network reachability and one malformed request.


The Vulnerability in Plain Terms

SolarWinds Serv-U is a managed file transfer (MFT) platform used heavily by MSPs and SMBs for secure file sharing, SFTP/FTP/FTPS services, and web-based file access. It's network-facing by design, which makes this class of vulnerability particularly painful.

CVE-2026-28318 is classified as CWE-400: Uncontrolled Resource Consumption. The vulnerability lives in how Serv-U processes POST requests that include the Content-Encoding: deflate header. When the service receives a specially crafted payload using that header, it fails to properly bound the resource consumption during decompression or processing — and crashes.

The technical impact is a denial-of-service (DoS). The service goes down. File transfers stop. Users get locked out. Automated processes that depend on Serv-U break.

What makes this worse than a typical DoS:

  • No authentication required. The attacker doesn't need an account, stolen credentials, or any prior foothold.
  • Single request. This isn't a volumetric attack requiring sustained traffic. One request can take down the service.
  • Repeatable. Once an attacker discovers the service is up and knows the endpoint, they can keep crashing it as fast as it restarts.
  • Network-exposed target. Serv-U is almost always internet-facing or at minimum accessible from untrusted network segments.

CISA's KEV listing notes the ransomware campaign use as "Unknown," but that shouldn't lower your urgency. DoS against MFT infrastructure is a documented tactic for disrupting operations, extorting uptime, or creating cover noise during a broader intrusion. SolarWinds as a vendor has been a persistent high-value target since the 2020 supply chain compromise, and threat actors actively probe SolarWinds products.


Who Is Affected

The vulnerability affects SolarWinds Serv-U prior to the patched version. The fix is documented in the Serv-U 15.5.4 Hotfix 1 release notes.

You're in scope if:

  • You host a Serv-U instance for internal file transfers
  • You manage Serv-U deployments for clients (MSPs, this means you)
  • Serv-U is exposed to the internet or to any network segment you don't fully control
  • You're running Serv-U in a DMZ or as a customer-facing portal

If you've already deployed 15.5.4 Hotfix 1, verify it using the steps in the next section. If you're not sure what version you're running, check before you assume you're clean.


Immediate Actions: What to Do Right Now

1. Identify All Serv-U Instances

Before you patch anything, know what you have. This sounds obvious but in MSP environments especially, Serv-U instances get stood up and forgotten.

  • Query your RMM for any machines with Serv-U installed
  • Check your asset inventory and CMDB
  • Scan your network for services listening on default Serv-U ports: 22 (SFTP), 21 (FTP), 443/8443 (HTTPS web client), 990 (FTPS)
  • If you manage cloud-hosted Serv-U instances, check those too — BOD 22-01 guidance applies

2. Apply the Patch

The fix is Serv-U 15.5.4 Hotfix 1. Go to the SolarWinds Trust Center advisory for CVE-2026-28318 for direct download links and official guidance.

Steps:

  • Download the hotfix from your SolarWinds customer portal or the trust center advisory
  • Review the release notes before applying — confirm any service restart requirements
  • Apply during a maintenance window if possible, but don't wait weeks for a window; schedule something in the next 48-72 hours
  • Restart the Serv-U service as directed
  • Verify the running version in the Serv-U management console under Help > About

3. Restrict Network Access While You Patch

If you can't patch immediately, reduce the attack surface:

  • Firewall rules: Restrict inbound access to Serv-U to only known, trusted IP ranges. If external users need access, consider temporarily routing through a VPN
  • WAF/reverse proxy: If Serv-U sits behind a WAF or reverse proxy, add a rule to block or inspect POST requests with Content-Encoding: deflate headers. This is a temporary mitigation, not a fix — it can be bypassed and it doesn't address the underlying vulnerability
  • Monitoring: Alert on service crashes and unexpected restarts for the Serv-U service. If you see repeated crashes before you patch, treat it as an active incident

Verification After Patching

Don't just apply and forget. Confirm the patch took:

  • Check the version in Help > About in the Serv-U management console — it should reflect 15.5.4 Hotfix 1
  • Review Serv-U service logs for any errors post-patch
  • Run a quick connectivity test from a client to confirm FTP/SFTP/HTTPS services are operational
  • If you have a vulnerability scanner (Tenable, Qualys, Rapid7, etc.), run a targeted scan against the patched instances and confirm CVE-2026-28318 no longer flags

For MSPs: What to Tell Your Clients

If you manage Serv-U for clients, the conversation is straightforward:

  • Inform them there's a CISA KEV-listed vulnerability with an unauthenticated crash vector
  • Tell them you're patching during the next available window (ideally within 72 hours)
  • If they push back on urgency, point them to the CISA KEV listing — federal agencies had until June 19 to patch, and CISA doesn't add things to that list for fun
  • Document the patching action in your ticketing system with the CVE number, version before/after, and timestamp

If a client refuses patching, get it in writing and document your recommendation clearly. At that point you've done your job; the liability question is on them.


Broader Context: SolarWinds and MFT Platforms Are Targeted Infrastructure

This isn't the first time SolarWinds Serv-U has shown up in a critical advisory. In 2021, CVE-2021-35211 was a zero-day exploited by a nation-state actor targeting Serv-U specifically. MFT platforms in general have become a recurring target — MOVEit (CVE-2023-34362), GoAnywhere, Accellion FTA — because they sit at the perimeter, hold sensitive file data, and are network-accessible by design.

The pattern for MFT vulnerabilities is consistent:

  • Discovery or public disclosure
  • Rapid exploitation, often within days
  • Data theft, DoS, or use as an initial access point for deeper intrusion

CVE-2026-28318 is "only" a DoS today. But a crashed file transfer service creates operational disruption, and operational disruption creates pressure — the kind of pressure that makes organizations make bad decisions quickly. Don't give attackers that lever.


Quick Reference

Patch it. Verify it. Move on.

See what attackers see — before they do.

Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.