Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

SolarWinds Serv-U back on KEV list

3 min read
08:46UTC

CISA added a SolarWinds Serv-U denial-of-service flaw to its exploited-vulnerabilities catalogue on 5 June and flagged it as a ransomware risk; SolarWinds has shipped a hotfix.

TechnologyDeveloping
Key takeaway

A crash-only Serv-U flaw is low-ceiling, but the SolarWinds name keeps any new exposure under scrutiny.

CISA listed CVE-2026-28318, a denial-of-service flaw in SolarWinds Serv-U, on its KEV (Known Exploited Vulnerabilities) register on 5 June with a 19 June federal deadline, and flagged it as a ransomware-exploitation risk 1. Serv-U is SolarWinds' managed file-transfer product, the same category of internet-facing software that ransomware crews favour for the sensitive data it moves. An unauthenticated attacker sends a crafted deflate-header HTTP request that exhausts the service and crashes it; SolarWinds has shipped a fix in Serv-U 15.5.4 Hotfix 1.

The flaw is a crash, not code execution, which caps what an attacker can do with it: disruption rather than a foothold. The weight comes from the name. SolarWinds has been the reference point for supply-chain risk since the SUNBURST compromise of its Orion platform in 2020, so any fresh exploited flaw in its estate draws scrutiny a comparable mid-tier vendor would not. This entry joins the busy early-June KEV cluster of file-transfer and web-server additions , keeping the catalogue's listing tempo high through the month.

Deep Analysis

In plain English

SolarWinds makes a file-transfer product called Serv-U that companies use to move files securely between internal systems or with external partners. A security flaw called CVE-2026-28318 was found in Serv-U: an attacker with no login credentials can send a specially crafted web request that crashes the Serv-U service, taking it offline. The US government's CISA agency listed this flaw on 5 June 2026 as a must-fix for federal agencies by 19 June. It also flagged the flaw as a ransomware risk, which is unusual for a crash-only flaw. The concern is that ransomware groups crash Serv-U deliberately before running an attack, because the crash disables logging and monitoring of file transfers during the period when they are stealing data. SolarWinds shipped a fix in version 15.5.4 Hotfix 1.

What could happen next?
  • Risk

    Organisations running SolarWinds Serv-U versions 15.5.4 and earlier should apply Hotfix 1 before the 19 June 2026 deadline; the ransomware-exploitation risk flag indicates active use of the DoS crash as a pre-attack step in current campaigns.

  • Precedent

    CISA's ransomware-exploitation risk flag on a DoS-only flaw extends the KEV ransomware-risk category beyond code-execution vulnerabilities for the first time in 2026, potentially changing how security teams triage DoS flaws in file-transfer products.

First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

Bitdefender· 14 Jun 2026
Read original
Causes and effects
This Event
SolarWinds Serv-U back on KEV list
A crash-only flaw caps its own ceiling, but the SolarWinds brand keeps any new exposure under unusual scrutiny.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.