SolarWinds has released a security update addressing an actively exploited vulnerability tracked as CVE-2026-28318 affecting SolarWinds Serv-U Managed File Transfer (MFT) and Serv-U Secure FTP products.

The vulnerability gained additional attention after being added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog, confirming that threat actors have been observed exploiting the flaw in the wild.

Through this blog, we will understand what the vulnerability is about, the threat posed by the vulnerability, and some of the security actions that organizations can take to prevent/mitigate the threats posed by the vulnerability.

About the vulnerability

What can attackers do with the vulnerability?

Attackers can send specially crafted unauthenticated HTTP POST requests to an exposed Serv-U server. Requests containing the Content-Encoding: deflate header and maliciously crafted data can trigger a service crash, causing the Serv-U application to become unavailable.

Attackers can exploit the vulnerability to:

• Disrupt file transfer services and business operations
• Carry out Denial of Service attacks affecting critical data exchange workflows
• Cause operational downtime for internet facing Serv-U deployments
• Interrupt secure FTP and Managed File Transfer processes
• Disrupt business services

SharkStriker recommendations

To reduce the risk associated with active exploitation of CVE-2026-28318, SharkStriker recommends implementing the following defensive measures:

• Apply Serv-U Security Updates Immediately: Upgrade all affected Serv-U installations to Serv-U 15.5.4 Hotfix 1 or later. Prioritize internet-facing systems and business-critical file transfer infrastructure.
• Identify and Inventory Serv-U Deployments: Conduct an organization-wide asset review to identify all Serv-U installations, including legacy or unsupported deployments that may have been overlooked.
• Monitor for Exploitation Attempts: Review web server, proxy, and application logs for suspicious HTTP POST requests containing the **Content-Encoding: deflate** header or unusual request patterns targeting Serv-U services.
• Investigate Service Crashes and Restarts: Analyze Windows Event Logs and application logs for unexpected Serv-U service terminations, crashes, or restarts that may indicate attempted exploitation.
• Restrict External Exposure: Limit direct internet access to Serv-U servers where possible through network segmentation, VPN access controls, firewall restrictions, and trusted IP allowlists.
• Strengthen Security Monitoring: Ensure EDR, SIEM, and network monitoring solutions are configured to detect abnormal activity associated with Serv-U services, including repeated requests, service interruptions, and suspicious network traffic.
• Maintain Continuous Vulnerability Management: Given the active exploitation of this vulnerability, organizations should prioritize rapid patch deployment and continuous monitoring of internet-facing applications as part of their vulnerability management program.