CISA Warns Active Exploitation of SolarWinds Serv-U DoS Flaw
CISA warned that attackers are actively exploiting SolarWinds Serv-U vulnerability CVE-2026-28318, a recently patched high-severity denial-of-service flaw in the company's managed file transfer and FTP server software for Windows and Linux. The bug can be triggered through low-complexity, unauthenticated POST requests—reported to include the Content-Encoding: deflate header—causing the Serv-U service to crash through uncontrolled resource consumption. CISA has added the issue to its Known Exploited Vulnerabilities catalog and directed Federal Civilian Executive Branch agencies to remediate by June 19 under Binding Operational Directive 22-01.
SolarWinds said the flaw is fixed in Serv-U 15.5.4 Hotfix 1, while CISA urged private-sector organizations to apply mitigations immediately or discontinue use if mitigations are unavailable. Reporting also noted that thousands of Serv-U servers remain exposed online, expanding the potential attack surface. The warning comes amid a broader pattern of SolarWinds Serv-U exploitation, with earlier campaigns tied to the Clop ransomware gang, DEV-0322 Chinese threat actors, and abuse of prior Serv-U vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-28318 to KEV and sets June 19 remediation deadline
CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to remediate the flaw under Binding Operational Directive 22-01. The deadline given to federal agencies was June 19, and CISA also urged private-sector organizations to apply mitigations quickly.
CISA warns CVE-2026-28318 is being actively exploited
CISA warned that attackers are actively exploiting CVE-2026-28318 in SolarWinds Serv-U to crash vulnerable servers. The agency said the denial-of-service issue can be exploited with low-complexity, unauthenticated POST requests.
SolarWinds fixes Serv-U vulnerability CVE-2026-28318
SolarWinds released Serv-U 15.5.4 Hotfix 1 to fix CVE-2026-28318, a high-severity denial-of-service flaw caused by uncontrolled resource consumption. The bug affects Serv-U managed file transfer and FTP server software on Windows and Linux and can be triggered with crafted unauthenticated POST requests.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog
thehackernews.com
Open sourceCISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceServ-U Vulnerability Alert: CVE-2026-28318 Exploitation
securityonline.info
Open sourceHackers actively exploit SolarWinds Serv-U flaw to crash servers, CISA warns | brief | SC Media
scworld.com
Open sourceCISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical SolarWinds Serv-U Remote Code Execution and Path Bypass Vulnerabilities
SolarWinds Serv-U has been found to contain two critical vulnerabilities, CVE-2025-40548 and CVE-2025-40549, both with a CVSS score of 9.1. These flaws allow authenticated administrators to perform remote code execution and bypass path restrictions, potentially enabling attackers with admin access to execute arbitrary code or access restricted directories. The vulnerabilities are particularly severe on non-Windows deployments, where default service account privileges may not mitigate the risk. Both issues require administrative privileges to exploit, but their impact is considered critical due to the potential for full system compromise. Security advisories highlight that the vulnerabilities stem from missing validation processes and improper path restriction enforcement within the Serv-U software. While the flaws are not exploitable by unauthenticated users, organizations using SolarWinds Serv-U are urged to review their deployments, especially where admin credentials may be exposed or weakly protected. No specific affected product versions have been listed, but the vulnerabilities have been confirmed by SolarWinds and are publicly documented in multiple security feeds.
Mar 21, 2026
SolarWinds Serv-U Patches Four Privileged RCE Flaws Enabling Root/Admin Code Execution
SolarWinds released *Serv-U* 15.5.4 security updates addressing four remote code execution vulnerabilities that can allow execution of arbitrary code as a **privileged (root/admin) account** on affected Windows and Linux servers. The most severe issue, **CVE-2025-40538**, is a **broken access control** flaw that can let an attacker with domain admin or group admin privileges create a system admin user and then execute code with elevated permissions; it is scored `CVSS:3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H` and mapped to **CWE-269**. SolarWinds also fixed **CVE-2025-40539** and **CVE-2025-40540** (both **type confusion** issues, **CWE-704**) and **CVE-2025-40541** (an **IDOR** issue leading to privileged code execution). All four vulnerabilities require **high/administrative privileges** to exploit, which limits standalone exploitation but supports chaining scenarios (e.g., stolen admin credentials or prior privilege escalation). Internet exposure remains a concern: one report cited Shodan identifying **12,000+** exposed Serv-U instances, while Shadowserver estimated **<1,200**.
Mar 21, 2026
CISA Flags Actively Exploited SolarWinds Web Help Desk Flaw as Metasploit Adds Exploit Modules
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, including a critical **SolarWinds Web Help Desk (WHD)** security protection bypass tracked as `CVE-2025-40536` (CVSS 9.8). The issue stems from flawed CSRF-check logic that relies on a whitelist of query parameters, which can be bypassed with crafted URI parameters to reach restricted functionality without authentication; SolarWinds patched the flaw in *WHD 2026.1*. CISA set an accelerated remediation deadline for U.S. Federal Civilian Executive Branch agencies, and Microsoft separately reported an active campaign targeting SolarWinds WHD but did not confirm whether `CVE-2025-40536` was the specific vulnerability exploited. Rapid7 reported that **Metasploit added exploit module support for SolarWinds WHD vulnerabilities `CVE-2025-40536` and `CVE-2025-40551`**, enabling post-exploitation sessions running as `NT AUTHORITY\SYSTEM` when successful. This increases operational risk for unpatched environments by lowering the barrier to exploitation and reinforces the urgency of applying SolarWinds’ available fixes and validating exposure of WHD instances, particularly those reachable from untrusted networks.
Mar 21, 2026