SolarWinds released Serv-U 15.5.4 Hotfix 1 on 4 June 2026 to address CVE-2026-28318, an unauthenticated denial-of-service vulnerability affecting Serv-U. CISA later added the vulnerability to its Known Exploited Vulnerabilities catalogue, with NVD reflecting a 5 June 2026 KEV date and a 19 June 2026 remediation due date.

This is a threat-intel update, but it must be read carefully. The reviewed sources support an availability-risk assessment tied to active exploitation and KEV prioritisation. They do not support claims of ransomware activity, data theft, remote code execution, named threat actors, victim counts or a confirmed breach campaign.

What CVE-2026-28318 does

SolarWinds describes CVE-2026-28318 as an unauthenticated denial-of-service vulnerability in Serv-U. The vulnerability can be triggered by specially crafted POST requests that crash the Serv-U service without authentication by using Content-Encoding: deflate.

NVD lists the issue with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which indicates network access, low attack complexity, no required privileges, no user interaction, and high availability impact. NVD also maps the weakness to CWE-400: Uncontrolled Resource Consumption.

That classification is important. This is not being presented by the reviewed sources as a confidentiality or integrity compromise. The supported impact is service disruption.

Why KEV inclusion changes priority

CISA’s Known Exploited Vulnerabilities catalogue is used to prioritise vulnerabilities that have evidence of exploitation. NVD reflects that CVE-2026-28318 is in CISA’s KEV catalogue and lists the required action as applying mitigations per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.

Canada’s Cyber Centre also updated its advisory on 5 June 2026 to note that CISA had added CVE-2026-28318 to KEV. It advised users and administrators to review the relevant links and apply the necessary updates.

For defenders, the significance is straightforward: once a vulnerability enters KEV, it should move from normal patch queue to priority remediation, especially where the affected service is internet-facing or business-critical.

Affected versions and patch guidance

SolarWinds says customers who downloaded and installed Serv-U 15.5.4 should also download and install Serv-U 15.5.4 Hotfix 1. Canada’s Cyber Centre describes affected products as SolarWinds Serv-U versions prior to 15.5.4 HF1.

NVD lists affected configurations as versions up to, but excluding, 15.5.4, as well as 15.5.4 without the hotfix. The practical reading is simple: administrators should validate whether Serv-U has been updated to 15.5.4 Hotfix 1 or later guidance from SolarWinds.

Where patching cannot be done immediately, BleepingComputer reported mitigation guidance to limit access to known addresses and block POST requests containing content-encoding. That should be treated as a temporary exposure-reduction step, not a replacement for applying the vendor hotfix.

What this means for file-transfer risk

Serv-U is used for managed file transfer and FTP server capabilities across Windows and Linux environments. File-transfer infrastructure often sits at the boundary between internal users, partners, customers and external workflows. Even when a vulnerability is “only” denial of service, disruption can affect business operations, partner exchange, customer uploads, backups or automated data movement.

Availability risk should not be dismissed. A repeated unauthenticated crash against a public-facing transfer service can become an operational incident, especially if the service supports logistics, finance, customer onboarding, regulated submissions or time-sensitive data exchange.

The key is to avoid both underreaction and overstatement. This is serious enough to prioritise patching because it is in KEV and tied to active exploitation reporting. But the evidence reviewed does not justify claims that attackers are using it to steal data, deploy ransomware or gain remote code execution.

What defenders should verify now

Security teams should first identify all Serv-U deployments, including older systems that may sit outside the standard asset inventory. File-transfer services are sometimes managed by infrastructure, application, operations or business teams rather than central security, so ownership should be confirmed.

Next, validate the exact version and hotfix level. Systems running vulnerable versions should be updated to Serv-U 15.5.4 Hotfix 1 or the latest vendor-recommended release path.

Teams should also review exposure. Internet-facing Serv-U services should be prioritised. Access controls should be tightened, and temporary filtering should be considered where patching is delayed. Logs should be reviewed for repeated POST requests, crashes, service restarts or unusual availability patterns around the exposure window.

Finally, incident response teams should keep the scope clear. If local evidence shows only service crashes, treat it as an availability event. If additional indicators show unauthorised access, file manipulation or data movement, that becomes a separate investigation and should be evidenced separately.