CISA just added another SolarWinds vulnerability to its Known Exploited Vulnerabilities catalog. The move came yesterday. It targets a denial-of-service weakness in Serv-U file transfer software.
Attackers already use it. They send specially crafted POST requests. The Content-Encoding header set to deflate triggers uncontrolled resource consumption. The service crashes. No authentication needed. Simple. Effective.
The flaw carries a CVSS score of 7.5. Not the highest. Yet its presence on the KEV list demands immediate attention. Federal agencies must patch by June 19. Private organizations should follow suit without delay.
Serv-U’s Persistent Headache
SolarWinds Serv-U serves as a multi-protocol file server. Many enterprises rely on it for secure transfers. But the product has faced repeated scrutiny. Earlier this year alone, multiple flaws drew attention. This latest issue, tracked as CVE-2026-28318, affects versions before 15.5.4 Hotfix 1.
The company released the fix in that exact build. Documentation confirms it. SolarWinds release notes detail the update. Administrators who skipped the hotfix now sit exposed.
And exposure matters. File transfer servers often face the internet. They handle sensitive data. A crash might seem minor compared to remote code execution. But repeated outages disrupt operations. They create windows for further intrusion. Attackers probe for weakness. A downed service can mask other activities.
The Hacker News first reported CISA’s addition hours after the alert dropped. Its article captured the core facts. “SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service without authentication,” the publication quoted CISA as saying. (The Hacker News, June 6, 2026)
SC Media echoed the warning. Hackers actively exploit the SolarWinds Serv-U flaw to crash servers, its headline declared. The story noted CISA’s mandate for federal patching by mid-June. (SC Media, June 5, 2026)
GBHackers went further. It highlighted that unauthenticated threat actors can remotely crash the service. The site stressed the KEV addition on June 5 and the Binding Operational Directive 22-01 requirements. (GBHackers, June 6, 2026)
Cybersecurity News added context on monitoring. Organizations must verify exact builds. Version checks alone fall short. The hotfix level counts. (Cybersecurity News, June 6, 2026)
But this isn’t isolated. SolarWinds products keep appearing in CISA’s catalog. Earlier in 2026, Web Help Desk flaws drew similar scrutiny. One deserialization vulnerability earned a 9.8 score. Microsoft detailed real intrusions. Threat actors gained footholds on exposed instances. They moved laterally. They deployed tools for persistence.
Huntress observed the same pattern across customer environments. Rapid deployment of tunnels and remote tools followed initial access. The incidents underscored a pattern. Internet-facing SolarWinds applications attract attention fast.
So why does Serv-U matter now? The KEV catalog exists for a reason. It reflects confirmed wild exploitation. Not potential. Actual. Defenders gain a prioritized list. They focus resources where attacks already happen.
Yet challenges remain. Many organizations run legacy versions. Upgrades require planning. Downtime windows shrink. Testing patches takes time. Meanwhile attackers don’t wait.
Windows Forum analysts put it plainly. Once cataloged and tied to active exploitation, automated probing follows. Or has already begun. Organizations with strong visibility act quickly. Those without face bigger problems. They can’t even answer basic questions about their exposure.
A crash bug still hands control to attackers. It creates denial-of-service conditions on demand. In critical infrastructure or manufacturing, that disruption carries weight.
SolarWinds pointed defenders to its advisory. The company listed affected versions clearly. It urged upgrades. No public exploit code details surfaced yet. But CISA’s evidence confirms real-world use.
Security teams should inventory Serv-U deployments today. Check internet exposure. Apply the 15.5.4 Hotfix 1 without exception. Monitor for unusual POST traffic. Look for resource spikes that precede crashes.
The episode repeats a familiar story for SolarWinds. Its tools remain valuable. They also remain targets. The 2020 supply chain attack still lingers in memory. That history raises stakes. Every new flaw invites extra scrutiny.
Federal deadlines create momentum. June 19 approaches fast. Agencies that miss it face compliance issues. Private sector leaders watch those mandates. They often align their own timelines accordingly.
Recent X discussions reflect urgency. Cybersecurity professionals shared the alert widely. They stressed patching. They reminded peers that DoS flaws deserve respect when actively exploited.
One theme emerges across coverage. Visibility first. Then speed. Know what you run. Update what you can. Segment where possible. The Serv-U case offers no exception.
CISA’s catalog now exceeds 1,600 entries. Each addition signals real threat activity. Each due date pushes organizations to move. For SolarWinds customers, the message lands clear. Check your Serv-U instances. Patch now. Don’t let a preventable crash become part of a larger incident.
WebProNews is an iEntry Publication