Skip to content
You can now search across every topic, entity and event.What's new
SolarWinds
OrganisationUS

SolarWinds

US IT monitoring vendor; SUNBURST supply-chain compromise set the doctrine benchmark for patient, low-noise intrusion.

Last refreshed: 14 June 2026 · Appears in 1 active topic

Key Question

How does SolarWinds' 14-month dwell time still define what a patient attacker looks like in 2026?

Timeline for SolarWinds

#818 Jun
#75 Jun

Shipped a hotfix in Serv-U 15.5.4 Hotfix 1 for the actively exploited denial-of-service flaw

Cybersecurity: Threats and Defences: SolarWinds Serv-U back on KEV list
#73 Jun
#61 Jun
#411 May
View full timeline →
Common Questions
What happened in the SolarWinds hack?
In 2020, Russia's SVR compromised SolarWinds' Orion software update, installing a backdoor (SUNBURST) on approximately 18,000 government and corporate networks, including multiple US federal departments. Attackers maintained undetected access for up to 14 months. It is the primary reference case for software supply-chain attacks.Source: CISA / FCEB
Why does everyone still talk about SolarWinds in 2026?
SolarWinds established identity and trusted-software channels as primary attack surfaces. The 2026 Stryker MDM wipe is the most direct successor: Handala achieved 200,000-device impact via a single identity credential, confirming the SolarWinds lesson was not operationally absorbed.Source: Lowdown analysis
How long did the SolarWinds attackers remain undetected?
Russia's SVR maintained undetected access to SolarWinds-compromised networks for up to 14 months before discovery. This dwell time set the benchmark for patient, low-noise supply-chain intrusion and is directly echoed by the 17-month gap between Oracle's January 2024 WebLogic patch and active exploitation detected in May 2026.Source: CISA / US CERT

Background

SolarWinds is a US IT management software company whose Orion platform was compromised in 2020 via a malicious update (SUNBURST) that installed a backdoor on approximately 18,000 government and corporate networks, including the US Treasury, Commerce, State and Energy departments. Attribution is to Russia's SVR Foreign Intelligence Service. Attackers maintained undetected access for up to 14 months before discovery, a dwell time that became the benchmark for patient, low-noise supply-chain intrusion and the direct catalyst for CISA's KEV programme and the Biden-era executive order on cyber security. The SEC subsequently brought charges against SolarWinds and its CISO over alleged inadequate disclosure practices following the incident.

SolarWinds' managed file-transfer product Serv-U returned to CISA's Known Exploited Vulnerabilities catalogue on 5 June 2026, when CVE-2026-28318 (a denial-of-service flaw in Serv-U versions 15.5.4 and earlier) was listed with a 19 June federal Deadline and flagged as an active ransomware-exploitation risk. An unauthenticated attacker sends a crafted deflate-header HTTP POST request that exhausts the service; SolarWinds shipped Serv-U 15.5.4 Hotfix 1 as the remediation. The flaw is a DoS rather than Remote Code Execution, but CISA's ransomware-risk flag reflects the pattern in which service disruption to managed file-transfer infrastructure is used to coerce ransom payment or mask data exfiltration running in parallel.

Across multiple update cycles, SolarWinds has functioned in this topic as the anchor reference for the supply-chain intrusion doctrine: SUNBURST demonstrated that trusted software distribution is a viable mass-scale attack vector that bypasses perimeter controls entirely, a lesson that recurs in the 2026 UNC6780 Shai-Hulud worm framework, the SAP npm compromise, and the Phantom Gyp binding.gyp variant. The Serv-U KEV addition underlines a second, quieter lesson: a company that has restructured its security posture in public, post-SUNBURST, is still producing products that attract active exploitation and federal action. The gap between declared security investment and shipped-product vulnerability surface is not closed by brand reputation alone.

More questions
What is the connection between SolarWinds and the Oracle WebLogic vulnerability in 2026?
Oracle WebLogic CVE-2024-21182 was patched in January 2024 and began delivering ransomware payloads via honeypot-observed exploitation in May 2026 — a 17-month gap that mirrors SolarWinds' 14-month undetected residency. Both cases share the same failure mode: the assumption that a patched or contained threat is resolved.Source: Lowdown analysis
Who did the SEC sue over the SolarWinds breach?
The US Securities and Exchange Commission brought charges against SolarWinds and its CISO (Timothy Brown) over allegedly inadequate public disclosures about the SUNBURST breach and the company's pre-incident cybersecurity posture.Source: SEC
What was the SolarWinds SUNBURST attack and who was behind it?
SUNBURST was a 2020 supply-chain compromise in which Russia's SVR inserted a malicious backdoor into SolarWinds Orion software updates, reaching approximately 18,000 government and corporate networks including US Treasury, Commerce, State and Energy departments. Attackers went undetected for up to 14 months.Source: event
Why is SolarWinds Serv-U on CISA's exploited vulnerabilities list in 2026?
CISA added CVE-2026-28318, a denial-of-service flaw in Serv-U versions 15.5.4 and earlier, on 5 June 2026 with a 19 June federal Deadline and a ransomware-risk flag. An unauthenticated attacker can crash the service by sending a crafted deflate-header HTTP POST. SolarWinds shipped a hotfix in Serv-U 15.5.4 Hotfix 1.Source: CISA KEV
What charges did the SEC bring against SolarWinds after the hack?
The SEC brought charges against SolarWinds and its chief information security officer alleging inadequate disclosures about the SUNBURST incident: specifically that public statements about the company's security posture were materially misleading given known internal vulnerabilities.
How long did Russian hackers stay inside SolarWinds customer networks?
Up to 14 months undetected in some cases, from approximately March 2020 until December 2020 when the breach was publicly disclosed. The dwell time became the benchmark reference for patient, low-noise supply-chain intrusion.Source: event