Hackers now exploit SolarWinds Serv-U flaw to crash servers

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) warned as of late that hackers are actually actively exploiting a not too long ago patched high-severity SolarWinds Serv-U flaw to crash servers.

Serv-U is the corporate’s Home windows and Linux record switch device that gives Controlled Report Switch (MFT) and FTP server features, which enable customers to safely change recordsdata by means of HTTP/HTTPS, FTP, FTPS, and SFTP.

SolarWinds launched Serv-U 15.5.4 Hotfix 1 on Thursday to patch this denial-of-service vulnerability (tracked as CVE-2026-28318) and stated it stems from an out of control useful resource intake weak point.

“SolarWinds Serv-U is at risk of specifically crafted POST requests that crash the Serv-U provider with out authentication the usage of Content material-Encoding: deflate,” the corporate stated.

Far flung attackers can exploit the safety flaw with out privileges in low-complexity assaults that do not require consumer interplay.

SolarWinds additionally recommended admins who cannot instantly deploy the patch to restrict get right of entry to to identified addresses and to dam any POST request containing “content-encoding,” because the prone Serv-U provider does now not require this capability.

The Web intelligence platform Shodan lately tracks over 12,000 Serv-U servers uncovered on-line, and Web safety watchdog Shadowserver simply over 3,100, however there’s no data on what number of have already been patched.

​Days after SolarWinds addressed the vulnerability, CISA flagged it as exploited within the wild and added it to the Identified Exploited Vulnerabilities Catalog, ordering all Federal Civilian Government Department businesses to patch their servers towards ongoing assaults by way of June 19, as mandated by way of Binding Operational Directive (BOD) 22-01.

Whilst BOD 22-01 applies best to U.S. executive businesses, the cybersecurity company additionally steered all community defenders, together with the non-public sector, to safe their networks towards ongoing CVE-2026-28318 assaults once imaginable.

“This kind of vulnerability is a widespread assault vector for malicious cyber actors and poses vital dangers to the federal endeavor,” CISA warned. “Practice mitigations in step with supplier directions, apply acceptable BOD 22-01 steering for cloud services and products, or discontinue use of the product if mitigations are unavailable.”

Lately, more than one cybercrime and state-backed hacking teams have focused vulnerabilities in Serv-U to scouse borrow delicate company and buyer information.

For example, the Clop ransomware gang exploited a Serv-U faraway code execution vulnerability (CVE-2021-35211) to breach company networks in a 2021 marketing campaign. DEV-0322 Chinese language hackers additionally deployed CVE-2021-35211 exploits in zero-day assaults beginning in July 2021.

Extra not too long ago, in June 2024, cybersecurity corporations GreyNoise and Rapid7 tagged a Serv-U path-traversal vulnerability (CVE-2024-28995) as actively exploited.

Over the last a number of years, CISA has tagged 11 vulnerabilities throughout quite a lot of SolarWinds merchandise as actively exploited in assaults, one among which has additionally been abused by way of ransomware gangs.