CISA Adds SolarWinds Serv-U DoS Flaw to Known Exploited Vulnerabilities List
CVE-2026-28318 crashes the Serv-U file transfer service in the wild. Federal agencies have roughly three weeks to patch. Everyone else should treat that deadline as their own.

A denial-of-service vulnerability in SolarWinds Serv-U is being actively exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency to add it to the Known Exploited Vulnerabilities catalog.
What the Vulnerability Does
Tracked as CVE-2026-28318 and carrying a CVSS score of 7.5, the flaw targets Serv-U's multi-protocol file server engine. When an attacker triggers it, the Serv-U service crashes. No remote code execution. No documented path to data theft. The service simply stops.
That sounds manageable. It isn't.
Enterprises run Serv-U as the backbone of regulated file transfer workflows — SFTP, FTPS, HTTPS pipelines that move payroll data, EDI feeds between trading partners, and compliance documents that can't be late. When the daemon goes down, those pipelines freeze. In financial services or healthcare, a few hours of downtime during a scheduled batch transfer window can carry real operational and regulatory consequences.
A Product With a Complicated History
Serv-U is not just any file transfer tool. It sits inside the SolarWinds product family, the same vendor ecosystem that became the center of the 2020 supply-chain compromise — an incident that rewired how security teams assess third-party software risk. That history means every new Serv-U CVE receives scrutiny that a comparable flaw in a less prominent product might not.
The scrutiny is warranted. CVE-2024-28995, a directory traversal vulnerability in Serv-U disclosed in 2024, was mass-exploited within days of public disclosure. Threat actors clearly watch this product line. A new KEV listing is a signal that someone, somewhere, is already running the proof-of-concept.
CISA's catalog entry does not name the threat actor or describe the specific campaign. KEV entries rarely do. A DoS bug being weaponized in the wild typically points to one of two scenarios: opportunistic disruption aimed at knocking a target offline, or a precursor technique designed to force a failover into a less hardened system path. Neither is comfortable. There is no mention of ransomware involvement at this stage.
What BOD 22-01 Requires
CISA's KEV listing activates Binding Operational Directive 22-01. Federal civilian executive branch agencies must patch or remove the affected software within a fixed remediation window — typically 21 days from the catalog entry date. Miss the deadline and the agency is out of compliance.
Private-sector operators are not legally bound by BOD 22-01. But the KEV catalog is the closest thing the U.S. government publishes to an authoritative "patch this immediately" list. The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector grew 180 percent year-over-year — context that makes any active-exploitation confirmation significant, not academic.
If your organization has a mature patching program, the KEV deadline is your deadline too.
Why a DoS Bug Deserves Serious Attention
Denial-of-service flaws sometimes get deprioritized because they don't hand an attacker your data directly. That logic fails in two situations.
First, managed file transfer systems are often availability-critical. Missing a payroll file drop or an EDI cutoff isn't a minor inconvenience — it can trigger contractual penalties or regulatory findings. Second, a service that crashes and auto-restarts is a service that generates logs. If Serv-U has been restarting unexpectedly for weeks, operators need to know whether those crashes predate the KEV listing. Crashes that started before the public disclosure suggest the vulnerability was known to attackers before it was known to defenders.
Log retention and log review are not optional here.
The Human Factor Nobody Is Talking About
Vulnerability management is a process problem as much as a technical one. Patch cadences slip when security teams are understaffed, when asset inventories are incomplete, or when no one is certain which team owns the Serv-U instance. In organizations where file transfer infrastructure was stood up by a specific business unit rather than central IT, the server may not even appear in the CMDB.
This is where security awareness extends beyond phishing simulations. Training IT staff and system owners to recognize KEV listings as mandatory action items — not suggestions — is a measurable gap in many programs. Organizations that run structured security awareness training close that gap by building a culture where the entire technical workforce understands escalation signals and acts on them.
What Serv-U Operators Should Do Right Now
The remediation path is straightforward, even if execution takes effort.
Check the SolarWinds security advisories page for the fixed build number and apply it. SolarWinds publishes patch details through its trust center; that is the authoritative source for version guidance.
Restrict network exposure while patching is in progress. If the Serv-U management interface and file transfer ports are reachable from the open internet, lock them down to known partner IP ranges immediately. This doesn't fix the vulnerability, but it shrinks the attack surface.
Review crash logs going back at least 60 days. Unexpected Serv-U restarts are the cleanest indicator that someone is throwing the exploit at the service. If crashes predate the KEV listing, treat that as a potential breach indicator and begin a formal investigation.
Verify asset inventory. Confirm every Serv-U instance your organization runs — including those owned by business units outside central IT — is accounted for and covered by the patch.
Federal agencies should already have a remediation ticket open and assigned. Private-sector operators running Serv-U for regulated workflows should treat the BOD 22-01 window as their own internal SLA. The exploit is live. The fix exists. The only variable is how long it takes to apply it.
How faster patching culture could have blunted this threat
- Audit your asset inventory now — confirm every Serv-U instance is tracked, owned, and covered by your patch SLA, including those deployed by business units outside central IT.
- Set an internal remediation deadline matching the CISA BOD 22-01 window (21 days) for all KEV-listed vulnerabilities, regardless of whether your organization is a federal agency.
- Train IT staff and system owners to recognize CISA KEV listings as mandatory escalation signals, not optional guidance — close the awareness gap before the next active exploit lands.
Train2Secure helps technical teams build the operational security habits that turn advisories into closed tickets — see how at [train2secure.com/free-trial](https://train2secure.com/free-trial).
Start free — no card requiredSources & further reading
Frequently asked questions
What does CVE-2026-28318 actually do to a SolarWinds Serv-U server?
It crashes the Serv-U service process. There is no documented path to remote code execution or direct data exfiltration — but any file transfer workflow running through that Serv-U instance stops until the service is restarted or the system is patched.
Are private-sector companies required to patch under BOD 22-01?
No. Binding Operational Directive 22-01 applies only to federal civilian executive branch agencies. However, CISA's Known Exploited Vulnerabilities catalog confirms active exploitation in the wild, and most mature security programs treat KEV listings as mandatory action items regardless of regulatory obligation.
How can we tell if our Serv-U server has already been targeted by this exploit?
Review service crash logs and Windows Event Logs for unexpected Serv-U restarts. If crashes appear before the CVE's public disclosure date, treat that timeline as a potential breach indicator and escalate to a formal investigation. Restrict port access and apply the vendor-supplied patch immediately.
Why do security teams keep a close eye on every new SolarWinds Serv-U CVE?
Two reasons. First, CVE-2024-28995 — a directory traversal flaw in the same product — was mass-exploited within days of disclosure in 2024, establishing a pattern of rapid weaponization. Second, SolarWinds is the vendor at the center of the 2020 supply-chain compromise, so the security community applies heightened scrutiny to every new finding in that product family.



