SolarWinds Serv-U Just Earned Its Fifth Spot on CISA's Exploited List. One Unauthenticated POST With a Deflate Header Crashes the Whole Service.

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog this month, with a remediation mandate for federal civilian agencies, and it is a SolarWinds Serv-U flaw — which by itself would be a routine patch note, except that when I cross-referenced it against our own KEV index this morning, it turned out to be the fifth Serv-U vulnerability on that list. Not the fifth SolarWinds product. The fifth time this one file-transfer server has been added to the catalog of things attackers are actively exploiting in the wild. That is the story here, and it is a bigger story than the bug itself.

The new bug is almost insultingly simple. CVE-2026-28318 is an uncontrolled resource consumption vulnerability: a specially crafted POST request carrying a Content-Encoding deflate header crashes the Serv-U service, and it requires no authentication whatsoever. There is no credential to steal, no chain to assemble, no lateral movement — you send one malformed compressed request to an exposed Serv-U instance and the service falls over. It is rated a medium severity on the numeric scale because it is "only" a denial of service, but severity scores measure the wrong thing for a managed-file-transfer box. Serv-U is the kind of infrastructure that sits between business partners moving contracts, healthcare data, and financial files; when it goes down, the outage is not an inconvenience, it is a halt in the actual flow of a business, and the unauthenticated, single-request nature of this one means anyone who can reach the port can cause that halt at will.

The reason the fifth-entry framing matters is what our index holds underneath it. The same Serv-U product is already on the exploited list for CVE-2024-28995, a path traversal that lets an attacker read sensitive files off the host; for CVE-2021-35211, a memory-escape flaw that allowed full remote code execution and was exploited as a zero-day; and for CVE-2021-35247, an improper-input-validation issue. Read those together and a pattern emerges that no single CVE shows you: this is a product with a recurring habit of shipping internet-facing parsing and request-handling bugs, exploited repeatedly across years. That is not a knock I am inventing for a headline — it is what the catalog says when you stop looking at vulnerabilities one at a time and start looking at them per-product, which is exactly the kind of cross-index correlation our archive is built to do. One KEV entry is an incident. Five on the same box is a procurement signal.

So the protective read has two layers, near-term and strategic. Near-term: if you run Serv-U, patch CVE-2026-28318 now, because it is unauthenticated, trivial, and already being exploited, and there is no mitigation as clean as the fix — but if you cannot patch immediately, get the management interface off the public internet, because almost every Serv-U entry on the KEV list shares the precondition of being directly reachable. An MFT server exposed to the open internet is the common denominator across the whole rap sheet, and pulling it behind a VPN or an allowlist removes the precondition for most of the catalog at once, not just this one bug.

The strategic layer is the one I actually want defenders to sit with. When a single product accumulates five entries on the exploited-vulnerabilities list, the patch-by-patch posture has quietly become a treadmill, and the honest question for whoever owns the risk is whether this box belongs on the edge of your network at all. I am not telling anyone to rip out SolarWinds — that is a decision with real cost and I do not have your environment in front of me. I am saying that the KEV catalog, read correctly, is not just a to-do list of patches; it is reputation data on your own infrastructure, and a product that shows up five times is telling you something the individual advisories never will. We watch where the material stages and where the exploited bugs cluster, and the cluster on this one is now impossible to miss.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register