CISA Adds SolarWinds Serv-U CVE-2026-28318 to KEV

Why it matters

CISA KEV additions are operational signals, not just vulnerability notices. Once a flaw appears in the catalog, defenders should assume exploitation has been observed and prioritize affected assets that are reachable from untrusted networks. SolarWinds Serv-U is used for file-transfer workflows, so exposure can sit close to sensitive business data and partner exchange paths.

What happened

CISA added CVE-2026-28318, a high-severity SolarWinds Serv-U denial-of-service flaw, to the Known Exploited Vulnerabilities catalog after evidence of active exploitation. Public reporting describes the issue as affecting SolarWinds Serv-U multi-protocol file server software and causing the service to crash. The KEV listing makes the vulnerability a near-term remediation item for organizations that run Serv-U or maintain legacy file-transfer infrastructure.

Technical details

The reported impact is denial of service against vulnerable Serv-U deployments. Even when a flaw is not described as remote code execution, downtime in managed file-transfer services can interrupt business operations, partner integrations, and incident response evidence handling. The most important technical task is exposure mapping: identify internet-facing Serv-U systems, confirm installed versions, review vendor remediation guidance, and check whether compensating controls limit access to trusted sources.

Defender actions

Inventory all SolarWinds Serv-U deployments, including test and partner-facing systems. Patch or apply vendor mitigation guidance on an accelerated schedule, prioritizing internet-exposed services first. Restrict access with VPN, firewall allowlists, or zero-trust controls where immediate patching is delayed. Monitor service crashes, repeated connection attempts, and unusual authentication patterns. Record exceptions with an owner and remediation date, because KEV-listed vulnerabilities should not remain in ordinary backlog queues.