On June 5, the U.S. Cybersecurity and Infrastructure Security Agency added a SolarWinds Serv-U file transfer flaw to its Known Exploited Vulnerabilities catalog after seeing attackers use it in the wild. If your business uses Serv-U to move files between offices, vendors, accountants, or clients — or your IT provider runs it behind the scenes — there is a hotfix available now and a federal patch deadline of June 19.
What the flaw actually does
The bug is tracked as CVE-2026-28318 and carries a CVSS score of 7.5.
In plain English: an unauthenticated attacker — meaning no password, no account, no inside access — can send a single specially crafted HTTP POST request with a "Content-Encoding: deflate" header and crash the Serv-U service. No user has to click anything. The server simply stops responding.
It is a denial-of-service flaw, not a remote-code-execution flaw, so the attacker is not stealing files through this bug directly. But for a small business that depends on Serv-U to move payroll files, invoices, design files, or client deliverables, a service that keeps crashing is the same as a service that does not exist. Disruption is the attack. And history with this product matters: the Cl0p ransomware gang previously exploited a different Serv-U flaw (CVE-2021-35211) to breach corporate networks in 2021, and Chinese state-sponsored group DEV-0322 weaponized the same flaw in zero-day attacks.
Why this matters for a small business in York County
Serv-U is a managed file transfer and secure file server platform that runs on Windows and Linux, integrates with Active Directory, and is used as a backbone for automated file exchange in healthcare, finance, government, and manufacturing. That covers a lot of York County: medical practices that exchange records with billing companies, manufacturers that swap CAD files with suppliers, accounting firms that move client documents during tax season.
You may not even know you're running it. Serv-U is often deployed by an IT provider or a software vendor as the back-end for an existing workflow. The fix is straightforward — SolarWinds released a hotfix in Serv-U version 15.5.4 Hotfix 1, and any prior version is considered vulnerable.
CISA set a remediation deadline of June 19, 2026, for federal agencies, and urged every other organization to treat the listing with the same urgency given confirmed exploitation in the wild.
What your managed-IT provider should be doing this week
A competent MSP should already be working through three steps:
1. Inventory. Confirm whether Serv-U is running anywhere in your environment — on a server in your office, in a co-located data center, or inside a vendor's hosted setup. Version number matters. Administrators who upgraded to 15.5.4 still need to verify the hotfix is applied, because the base 15.5.4 release without HF1 is still vulnerable.
2. Patch or mitigate. Apply Serv-U 15.5.4 Hotfix 1. If patching has to wait, SolarWinds recommends limiting access to known IP addresses and blocking any inbound request that contains the "content-encoding" header, since the vulnerable service does not actually need that functionality.
3. Hunt for signs of exploitation. Review logs for repeated service crashes, unexplained Serv-U restarts, and suspicious compressed POST requests around the disclosure window. A crash bug with active exploitation is still an attacker-controlled failure mode, and DoS activity is often paired with reconnaissance for a larger intrusion.
What York Businesses Should Do
If your York County business uses any file transfer server — Serv-U or otherwise — ask your IT provider this week whether it has been inventoried, patched, and restricted to known IP ranges. If you don't know who owns that answer, that is the bigger problem to fix first.