14JUN

SolarWinds Serv-U back on KEV list

3 min read

11:51UTC

CISA added a SolarWinds Serv-U denial-of-service flaw to its exploited-vulnerabilities catalogue on 5 June and flagged it as a ransomware risk; SolarWinds has shipped a hotfix.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A crash-only Serv-U flaw is low-ceiling, but the SolarWinds name keeps any new exposure under scrutiny.

CISA listed CVE-2026-28318, a denial-of-service flaw in SolarWinds Serv-U, on its KEV (Known Exploited Vulnerabilities) register on 5 June with a 19 June federal deadline, and flagged it as a ransomware-exploitation risk ¹. Serv-U is SolarWinds' managed file-transfer product, the same category of internet-facing software that ransomware crews favour for the sensitive data it moves. An unauthenticated attacker sends a crafted deflate-header HTTP request that exhausts the service and crashes it; SolarWinds has shipped a fix in Serv-U 15.5.4 Hotfix 1.

The flaw is a crash, not code execution, which caps what an attacker can do with it: disruption rather than a foothold. The weight comes from the name. SolarWinds has been the reference point for supply-chain risk since the SUNBURST compromise of its Orion platform in 2020, so any fresh exploited flaw in its estate draws scrutiny a comparable mid-tier vendor would not. This entry joins the busy early-June KEV cluster of file-transfer and web-server additions , keeping the catalogue's listing tempo high through the month.

Deep Analysis

In plain English

SolarWinds makes a file-transfer product called Serv-U that companies use to move files securely between internal systems or with external partners. A security flaw called CVE-2026-28318 was found in Serv-U: an attacker with no login credentials can send a specially crafted web request that crashes the Serv-U service, taking it offline. The US government's CISA agency listed this flaw on 5 June 2026 as a must-fix for federal agencies by 19 June. It also flagged the flaw as a ransomware risk, which is unusual for a crash-only flaw. The concern is that ransomware groups crash Serv-U deliberately before running an attack, because the crash disables logging and monitoring of file transfers during the period when they are stealing data. SolarWinds shipped a fix in version 15.5.4 Hotfix 1.

What could happen next?

Risk
Organisations running SolarWinds Serv-U versions 15.5.4 and earlier should apply Hotfix 1 before the 19 June 2026 deadline; the ransomware-exploitation risk flag indicates active use of the DoS crash as a pre-attack step in current campaigns.
Precedent
CISA's ransomware-exploitation risk flag on a DoS-only flaw extends the KEV ransomware-risk category beyond code-execution vulnerabilities for the first time in 2026, potentially changing how security teams triage DoS flaws in file-transfer products.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2021 Serv-U FTP CVE-2021-35247 (also a SolarWinds managed file-transfer flaw, though an authentication bypass rather than DoS) established the same targeting pattern: ransomware affiliates exploited Serv-U's position as a file-staging gateway to exfiltrate data before deploying encryptors.

CISA added CVE-2021-35247 to the KEV catalogue in early 2022. The 2026 CVE-2026-28318 DoS flaw follows the same structural logic: Serv-U's role as a file-transfer gateway makes disrupting it operationally useful as a ransomware precursor step, regardless of whether the flaw itself grants code execution.

Counter-parallel: The 2023 MOVEit Transfer exploitation (CVE-2023-34362), a different managed file-transfer product, demonstrated that ransomware and extortion groups prioritise managed file-transfer products for data theft rather than service disruption: the Cl0p group exfiltrated data from roughly 2,000 organisations without deploying encryption.

The Serv-U DoS flaw's ransomware-risk flag is operationally distinct from the MOVEit pattern, where the flaw directly enabled data extraction rather than masking a disruption window.

Consensus view: Qualys Threat Research Unit and SANS ISC handlers both assess the Serv-U CVE-2026-28318 KEV addition as notable not for its technical severity (a denial-of-service rather than code execution) but for CISA's explicit ransomware-exploitation risk flag on a DoS flaw.

The mechanism explains the flag: ransomware groups use Serv-U crashes to disable managed file-transfer endpoints before deploying encryption, because the crash generates an error state that masks file-system access patterns during exfiltration. Serv-U is widely deployed in financial services and healthcare file-transfer workflows, sectors where a crashed file-transfer gateway buys ransomware operators an unmonitored exfiltration window.

Counter-view: The Beijing-based CNCERT (National Computer Network Emergency Response Coordination Centre of China) observed in its May 2026 advisory series that Western KEV ransomware-risk flags on DoS-only flaws conflate capability disruption with breach risk.

CNCERT's position is that CVE-2026-28318 does not grant code execution or credential access, and treating a DoS flaw as a ransomware precursor requires a multi-step attack chain that assumes prior network access, limiting the utility of the KEV classification as a triage signal for organisations without a prior compromise.

Key tension: Whether CISA's decision to flag DoS-only KEV entries as ransomware-exploitation risks reflects intelligence on observed multi-stage campaigns or a precautionary extension of the ransomware-risk label beyond its historically code-execution-centred use cases.

Sources:Bitdefender

Mentions:CISA →CVE-2026-48172 →Serv-U →Known Exploited Vulnerabilities →Orion →Beijing →China →SolarWinds →

First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

Bitdefender· 14 Jun 2026

Read original →

Causes and effects

Caused by

Magento RCE forces 9-day patch race

The early-June KEV batch (Magento, WebLogic) established the velocity context in which the 5 June SolarWinds Serv-U addition landed.

Occurred 3 Jun 2026

Read story →

This Event

SolarWinds Serv-U back on KEV list

A crash-only flaw caps its own ceiling, but the SolarWinds brand keeps any new exposure under unusual scrutiny.

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.