CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog

CISA has added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The vulnerability affects SolarWinds Serv-U, a multi-protocol file transfer server used across thousands of organizations globally.

The flaw carries a CVSS score of 7.5, classifying it as high-severity. Attackers exploit this denial-of-service bug to crash the Serv-U service, disrupting file transfer operations and availability for dependent systems. SolarWinds Serv-U deployment spans enterprises, government agencies, and service providers relying on the platform for secure file exchanges.

The KEV catalog listing indicates exploitation activity has moved beyond proof-of-concept territory. CISA's addition signals that threat actors actively weaponize this vulnerability against live environments. Organizations running Serv-U should treat this as an immediate priority.

The vulnerability enables unauthenticated attackers to trigger service crashes without requiring valid credentials or complex exploitation chains. This lower barrier to entry accelerates adoption among threat actors with varying skill levels. A single successful exploitation attempt can knock Serv-U offline, potentially halting critical file transfer workflows across connected systems and partner networks.

SolarWinds did not immediately announce patch availability in available sources. Organizations should check SolarWinds security advisories for patch releases and deployment timelines. Interim mitigations include network segmentation restricting access to Serv-U ports, disabling unnecessary protocols, and monitoring for abnormal connection patterns targeting the service.

The KEV catalog listing carries operational weight. Federal agencies and critical infrastructure operators face compliance pressure to remediate or mitigate known exploited vulnerabilities within defined timelines. Private sector organizations should treat the listing as a signal that exploit code likely circulates publicly or within threat actor communities, elevating real-world risk