CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw

What Happened

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-28318, a high-severity denial-of-service (DoS) vulnerability in SolarWinds Serv-U, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. SolarWinds patched the flaw earlier this year, but CISA’s addition signals that threat actors are now weaponizing it to crash Serv-U servers hosting file transfer operations.

Why It Matters

This is the latest in a pattern of attackers targeting file transfer software - a category that suffered widespread compromises in 2023 and 2024 (GoAnywhere MFT, MOVEit Transfer). The Serv-U product is used across government, defense, healthcare, and enterprise environments for secure file transfers. A denial-of-service attack that crashes the service can halt critical data pipelines, disrupt business continuity, and - in the context of this being actively exploited - act as a precursor to follow-on attacks.

While CVE-2026-28318 is rated as high severity, not critical, its inclusion in the KEV catalog is a strong signal: CISA considers exploitation of DoS flaws in enterprise file transfer software as a threat requiring immediate action. Federal civilian agencies must patch by the binding operational directive deadline.

Technical Details

CVE-2026-28318 is an unauthenticated denial-of-service vulnerability in the SolarWinds Serv-U multi-protocol file server. Attackers can trigger a server crash by sending a specially crafted HTTP POST request to a listening Serv-U instance. No authentication, user interaction, or complex chaining is required. The crash disrupts all active file transfers until the service is manually restarted.

The vulnerability affects all Serv-U versions prior to the patch released in February 2026. SolarWinds has not publicly disclosed the exact component or function that fails, but the crash appears to result from insufficient input validation on POST request parameters.

Indicators of exploitation include:

• Unexpected Serv-U service termination events in Windows Event Logs (source: SolarWinds Serv-U service)
• Network logs showing sustained malformed POST requests to Serv-U HTTP/HTTPS ports (default: 4390, 443)
• Clients experiencing “connection reset” errors during file transfers

Immediate Risk

Risk is elevated for any organization running unpatched SolarWinds Serv-U versions. Because the exploit requires no credentials and is trivial to execute, the barrier to weaponization is low. Any threat actor - from hacktivists to ransomware groups - can crash a Serv-U server and disrupt operations.

For organizations in critical infrastructure or with regulatory compliance obligations (HIPAA, PCI DSS, NERC CIP), a DoS incident may constitute a reportable security event. CISA’s KEV designation also carries compliance implications for federal contractors and partners.

Security Insight

The lesson here is that DoS vulnerabilities in enterprise software are not “noise” to be deprioritized. While security teams often triage DoS bugs below RCE flaws, attackers increasingly use service crashes as operational disruption tools - or as preparatory steps to launch more damaging attacks while defenders are distracted by restoring services. Organizations should treat KEV-listed DoS vulnerabilities with the same urgency as RCE bugs, especially when they impact internet-facing file transfer infrastructure.

Further Reading

• Serv-U crash via unauth POST (CVE-2026-28318)
• Latest Security News
• CVE Advisories
• Data Breach Reports