CISA has set a remediation deadline of June 19, 2026 for KEV-listed vulnerabilities affecting federal agencies under Binding Operational Directive 22-01, while urging non-federal organizations to treat the issue with high urgency due to ongoing exploitation.

The flaw is an Uncontrolled Resource Consumption (CWE-400) vulnerability that lets unauthenticated attackers crash the Serv-U service via crafted HTTP POST requests using Content-Encoding: deflate.

SolarWinds released a hotfix addressing the vulnerability in Serv-U version 15.5.4 Hotfix 1; all earlier Serv-U versions are vulnerable and should be patched immediately.

Additional guidance is available from SolarWinds’ advisory and the NVD entry for CVE-2026-28318.

Mitigation includes applying the 15.5.4 Hotfix 1, limiting Serv-U exposure behind firewalls or VPNs, monitoring for anomalous deflate-encoded POST requests, and decommissioning instances if patching isn’t possible; cloud deployments should align with BOD 22-01.

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on June 5, 2026, due to active exploitation of the SolarWinds Serv-U flaw.

Attackers can trigger the issue remotely with zero privileges, making it a potentially attractive initial-access vector for exposed Serv-U deployments.

The risk remains ongoing and prompt remediation is needed across organizations, not just federal entities.