The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical vulnerability in the SolarWinds Serv-U file transfer software. This flaw, identified as CVE-2026-28318, is now part of the Known Exploited Vulnerabilities (KEV) catalog due to active exploitation by threat actors. The vulnerability allows attackers to crash the service using specially crafted HTTP requests without any need for authentication, posing a significant risk to organizations.

CVE-2026-28318 is categorized as an Uncontrolled Resource Consumption flaw (CWE-400), where the application fails to limit resource allocation properly in response to incoming input. Attackers can exploit this by sending a malicious POST request with a Content-Encoding: deflate HTTP header, causing the system to consume excessive resources and crash. This attack vector is particularly concerning as it requires no privileges and can be executed remotely over the network, making it an ideal initial-access method for malicious actors.

CISA included this vulnerability in the KEV catalog on June 5, 2026, and set a remediation deadline of June 19, 2026, for all Federal Civilian Executive Branch (FCEB) agencies. Under Binding Operational Directive 22-01, federal agencies are required to address vulnerabilities listed in the KEV within the given timeframe. Although it is unclear if this vulnerability has been used in ransomware attacks, CISA advises all organizations to prioritize addressing this issue due to ongoing exploitation.

SolarWinds has released a hotfix for this vulnerability in Serv-U version 15.5.4 Hotfix 1. Organizations operating earlier versions should apply this patch immediately to mitigate the risk. The advisory can be found on the SolarWinds Trust Center, with comprehensive technical details available through the National Vulnerability Database (NVD) entry for CVE-2026-28318. Security teams are encouraged to review these resources for the most current patch guidance.