Skip to content
You can now search across every topic, entity and event.What's new
Serv-U
ProductUS

Serv-U

SolarWinds Serv-U is a managed file-transfer and FTP server product whose CVE-2026-28318 denial-of-service flaw in versions up to 15.5.4 was patched in Hotfix 1.

Last refreshed: 14 June 2026 · Appears in 1 active topic

Key Question

Why is a denial-of-service flaw in a file-transfer server flagged as a ransomware risk?

Timeline for Serv-U

#75 Jun

Received a hotfix in version 15.5.4 Hotfix 1 for the actively exploited denial-of-service flaw

Cybersecurity: Threats and Defences: SolarWinds Serv-U back on KEV list
View full timeline →
Follow Cybersecurity: Threats and Defences
Common Questions
How do I patch the Serv-U CVE-2026-28318 vulnerability?
Upgrade to SolarWinds Serv-U 15.5.4 Hotfix 1 or later. The hotfix was released to address CVE-2026-28318 before the CISA federal deadline of 19 June 2026.Source: SolarWinds / CISA KEV
What is CVE-2026-28318 in SolarWinds Serv-U?
CVE-2026-28318 is an unauthenticated denial-of-service vulnerability in Serv-U 15.5.4 and earlier. An attacker sends a crafted HTTP POST with a malformed deflate header, crashing the service. CISA listed it in the KEV catalogue on 5 June 2026 with a ransomware-exploitation risk flag.Source: CISA KEV
Why does SolarWinds keep appearing on the CISA KEV list?
SolarWinds products are widely deployed in government and enterprise environments, making them high-value targets. Serv-U has had previous KEV entries including CVE-2021-35247, and the vendor's prominence after the 2020 supply-chain compromise means new flaws receive heightened scrutiny.Source: CISA

Background

Serv-U is SolarWinds' managed file-transfer and FTP server product, widely deployed in enterprise and government environments for secure file exchange. In June 2026, CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalogue with a 19 June federal remediation deadline. The flaw, affecting Serv-U versions 15.5.4 and earlier, allows an unauthenticated attacker to crash the service by sending a crafted HTTP POST request with a malformed deflate header. SolarWinds shipped a fix in Serv-U 15.5.4 Hotfix 1, though the KEV entry carries a specific ransomware-exploitation risk flag.

CVE-2026-28318 is a denial-of-service flaw rather than a code-execution vulnerability; its KEV inclusion with a ransomware flag suggests exploitation may be used for service disruption as a precursor to or complement of a ransomware deployment, forcing failover or degrading Incident Response capability. Serv-U has appeared in the KEV list previously: SolarWinds patched CVE-2021-35247 and related Serv-U flaws after active exploitation in 2021, and the product has been a recurring target owing to its prevalence in environments that handle regulated data.

For organisations running SolarWinds Serv-U, upgrading to 15.5.4 Hotfix 1 or later is the complete remediation. Given SolarWinds' prominence following the 2020 supply-chain compromise, any new KEV entry on SolarWinds products draws elevated scrutiny from federal security teams.