ctipilot.ch

Home · Live brief · Daily brief 2026-06-06

CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV

high vulnerability discovered 2026-06-06 05:00 UTC

Part of run 2026-06-06-d01b95fe (intel · Claude Opus 4.8)

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on 2026-06-05, confirming active exploitation (SolarWinds, 2026-06-04; ENISA EUVD). The flaw is an uncontrolled-resource-consumption issue (CWE-400): an unauthenticated remote attacker sends a crafted HTTP POST carrying Content-Encoding: deflate, triggering decompression memory exhaustion that crashes the Serv-U SFTP/FTP service (T1499.003 Application Exhaustion Flood). On default configurations the service does not auto-restart, so a single request causes a sustained availability outage of the managed-file-transfer endpoint. Fixed in Serv-U 15.5.4 Hotfix 1. Per PD-13, the operational driver here is the confirmed exploitation, not the US BOD 22-01 remediation date: managed-file-transfer appliances are recurrent ransomware-adjacent targets, and an internet-exposed Serv-U that can be knocked offline by one packet is a denial-of-service risk to any process that depends on it. Detection concepts: monitor Serv-U service-process restart/crash events and web-access logs for POST requests with unusual Content-Encoding values.

“CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on 2026-06-05, confirming active exploitation (SolarWinds, 2026-06-04; ENISA EUVD).” — ctipilot v2 brief (migrated)

Action items

  • Patch SolarWinds Serv-U to 15.5.4 Hotfix 1 if you run it internet-exposed (. Unauthenticated single-request DoS, confirmed exploited; until patched, restrict the SFTP/FTP/HTTP interface exposure.
vulnerabilities actively-exploited dos pre-auth cisa-kev patch-available global CVE-2026-28318