SolarWinds Serv-U unauthenticated DoS (CISA KEV)

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on 2026-06-05, confirming active exploitation (SolarWinds, 2026-06-04; ENISA EUVD). The flaw is an uncontrolled-resource-consumption issue (CWE-400): an unauthenticated remote attacker sends a crafted HTTP POST carrying Content-Encoding: deflate, triggering decompression memory exhaustion that crashes the Serv-U SFTP/FTP service (T1499.003 Application Exhaustion Flood). On default configurations the service does not auto-restart, so a single request causes a sustained availability outage of the managed-file-transfer endpoint. Fixed in Serv-U 15.5.4 Hotfix 1. Per PD-13, the operational driver here is the confirmed exploitation, not the US BOD 22-01 remediation date: managed-file-transfer appliances are recurrent ransomware-adjacent targets, and an internet-exposed Serv-U that can be knocked offline by one packet is a denial-of-service risk to any process that depends on it. Detection concepts: monitor Serv-U service-process restart/crash events and web-access logs for POST requests with unusual Content-Encoding values.