SolarWinds Serv-U CVE-2026-28318: what Hawaii businesses should do before the June 19 deadline

Published June 13, 2026 · HI Tech Hui · ~6 min read

Why this one is different from a typical DoS bug

Denial-of-service bugs usually sit lower on a patch queue than remote code execution flaws, and reasonably so — a crash is less damaging than an attacker running code on your box. CVE-2026-28318 is the exception. Three factors push it to the top of this week’s list:

• Active exploitation is confirmed. CISA only adds vulnerabilities to the Known Exploited Vulnerabilities catalog when there is reliable evidence of in-the-wild exploitation. This one was added June 5, 2026 with a federal remediation deadline of June 19, 2026.
• No authentication required. An attacker only needs to be able to reach your Serv-U HTTP listener. Any Serv-U instance exposed to the internet is in scope.
• Trigger is trivial. A single crafted POST request with a Content-Encoding: deflate header is enough to crash the service. There is no privileged access, no chained exploit, no complicated payload — meaning opportunistic scanning is cheap and pays off.

For a managed file transfer product, downtime is the damage. Serv-U is how partners, customers, and back-office systems move regulated and operational files in and out of your business. A crash that takes the service offline halts those workflows until someone notices, investigates, and restarts it — and then can do it again the next time the attacker hits.

What is technically broken

CVE-2026-28318 is classified as an uncontrolled resource consumption (CWE-400) vulnerability. Specially crafted POST requests using the Content-Encoding: deflate HTTP header cause Serv-U to expand the request body in a way that consumes excessive memory or CPU, leading to a service crash. The vulnerability does not require authentication or any prior access; sending the malformed request is enough.

The vendor has been clear about scope and severity. The fix is documented in the SolarWinds security advisories portal, where Serv-U 15.5.4 Hotfix 1 was published in early June 2026. CISA’s addition of CVE-2026-28318 to the KEV catalog on June 5 confirmed active exploitation in the wild and established the 14-day federal remediation window (CISA Alerts and Advisories).

Who is in scope

Two populations need attention right now:

• Internet-exposed Serv-U servers. Any Serv-U HTTP listener reachable from the public internet is the priority. This includes self-hosted Serv-U in your data center, in colocation, or in a cloud VM behind a permissive security group. The attacker just needs to reach the port.
• Internal Serv-U servers used as supply-chain transfer points. Even if a Serv-U instance is not directly internet-exposed, a compromised partner workstation or VPN session can deliver the trigger. Internal servers are not first-priority, but they are not exempt.

If you are not sure whether you run Serv-U, check with your finance, legal, healthcare, or operations teams. Managed file transfer products often get installed for a single regulated workflow and then quietly outlive the project that justified them.

The patch and verification plan

1. Inventory. List every Serv-U installation in your environment. Note version, build number, IP address, and whether each listener is reachable from the internet.
2. Download Hotfix 1. Log in to the SolarWinds Customer Portal and download Serv-U 15.5.4 Hotfix 1. If you are still on an earlier 15.5.x version, upgrade to 15.5.4 first, then apply the hotfix.
3. Apply and restart. Install the hotfix following the vendor instructions and restart the Serv-U service. Confirm the build number after restart matches the hotfix version SolarWinds documents.
4. Verify externally. From an outside vantage point, confirm the Serv-U HTTP listener still responds normally for legitimate traffic and that crafted exploit requests no longer crash the service.
5. Hunt for prior exploitation. Pull the last 30 days of Serv-U application and system logs. Look for unexplained service crashes, restarts, resource-exhaustion events, and POST requests with the Content-Encoding: deflate header from unfamiliar source IPs. If you find a pattern, treat it as an incident, not a patching task.

Interim mitigation if you cannot patch this weekend

If a change window prevents immediate patching, two interim controls reduce exposure:

• Block the trigger. Add a firewall or web application firewall rule that blocks inbound HTTP POST requests carrying a Content-Encoding: deflate header to your Serv-U listener. Serv-U does not need deflate-encoded request bodies for normal operation, so the false-positive risk is low.
• Shrink the audience. Restrict Serv-U HTTP access to known source IP ranges using firewall rules. If Serv-U does not need to be reachable from any IP on earth, put it behind a VPN or a reverse proxy until the hotfix is applied.

Neither control is a substitute for the patch. Both are reasonable bridges to a Monday change window.

Where this fits in your KEV workflow

CVE-2026-28318 is the third KEV-relevant advisory we have written about in the last two weeks, after the Palo Alto GlobalProtect auth bypass on June 1 and Thursday’s Windows Kernel TCP/IP RCE from the June Patch Tuesday. The pattern is consistent and worth naming: pre-authentication network-exposed flaws on widely deployed software with confirmed exploitation. Each of those advisories has the same first move — check what you actually expose to the internet — before the patch matters.

This is the operational case for the seven-day KEV patching SLA we recommend for Hawaii SMBs. Federal civilian agencies have to meet CISA’s 14-day deadline by directive; for a small Hawaii business, half that window is the right internal target on internet-facing systems. The triage framework from our patch triage signals post is the same: exposure first, then exploitability, then asset criticality. CVSS 7.5 is a number; “internet-facing managed file transfer server with confirmed in-the-wild exploitation” is the actual risk.

What a defensible 30-day improvement plan looks like

Patching CVE-2026-28318 closes the immediate hole. The longer-term improvement is reducing the chance the next Serv-U or MFT CVE catches you the same way. Three workstream items worth scoping over the next 30 days:

• Inventory every internet-facing service, not just MFT. Build or refresh a single list of every TCP port you expose to the public internet, grouped by product and version. The point is not the list itself; it is having an artifact you can scan against the next KEV addition in five minutes instead of two days.
• Subscribe to vendor security advisory feeds. SolarWinds, Palo Alto, Microsoft, Cisco, Fortinet, Ivanti, and any other vendor on your perimeter should send security advisories directly to a monitored mailbox or chat channel. Waiting to learn about a KEV addition from a news article costs you days you don’t have.
• Define your KEV SLA in writing. A 7-day patch SLA for internet-facing systems and KEV-listed CVEs is a reasonable target for most Hawaii SMBs. Write it down, communicate it to vendors who manage your infrastructure, and review compliance quarterly. The written number is what turns vague urgency into a process.

FAQ for executives

Are we exposed if Serv-U is only used internally?

Less exposed, but not exempt. An internet-exposed Serv-U server is the immediate concern. An internal one becomes a concern if a compromised partner, contractor, or workstation can reach it. The right posture is to patch both populations; the difference is urgency. Internet-exposed: this weekend. Internal: within your normal change window.

Does this affect SolarWinds Orion or other SolarWinds products?

No. CVE-2026-28318 is specific to SolarWinds Serv-U managed file transfer software. SolarWinds Orion and other SolarWinds products are not affected by this particular CVE. That said, if you run any internet-exposed SolarWinds product, this is a reasonable trigger to confirm all of them are on currently supported versions and that vendor security advisory subscriptions are active for them too.

Sources

• CISA — Known Exploited Vulnerabilities Catalog
• SolarWinds Trust Center — Security Advisories
• CISA — Alerts and Advisories

---

Need help auditing Serv-U or any other managed file transfer product before June 19? HI Tech Hui provides managed IT and cybersecurity services — including KEV-driven patch triage, vulnerability scanning, and 24/7 monitoring through our SOC. Contact us for an internet-facing exposure review.