CISA KEV Alert: SolarWinds Serv-U CVE-2026-28318 Is Actively Exploited — Here's What to Do Now
CISA's latest Known Exploited Vulnerability addition puts SolarWinds Serv-U in the crosshairs. Federal agencies have a hard remediation deadline; every other organization should treat it as one too.
Published 2026-06-05
# CISA KEV Alert: SolarWinds Serv-U CVE-2026-28318 Is Actively Exploited — Here's What to Do Now
On June 5, 2026, CISA added CVE-2026-28318 — a SolarWinds Serv-U Uncontrolled Resource Consumption vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog, confirming evidence of active exploitation in the wild.
What the Advisory Actually Says
CISA's KEV Catalog is not a theoretical watch-list. Under Binding Operational Directive 22-01, every Federal Civilian Executive Branch (FCEB) agency is legally required to remediate catalogued vulnerabilities by the assigned due date. The classification of CVE-2026-28318 as an Uncontrolled Resource Consumption flaw means an attacker can deliberately exhaust system resources on a vulnerable Serv-U instance — degrading availability, potentially crashing the service, and creating conditions that enable follow-on intrusion or data exfiltration.
SolarWinds Serv-U is a widely deployed managed file-transfer and FTP server platform used across government, healthcare, financial services, and critical infrastructure. Its presence in environments that also handle regulated data makes this advisory especially consequential.
Why This Matters Beyond Federal Networks
BOD 22-01 directly binds federal agencies, but the compliance ripple effect reaches every regulated organization:
- NIS2 (EU) — Article 21 requires operators of essential and important entities to apply patches and manage vulnerabilities as part of mandatory technical measures. Active exploitation elevates this from routine patching to an incident-risk trigger.
- ISO 27001:2022 / SOC 2 — Controls for vulnerability management (A.8.8 and CC7.1 respectively) require timely remediation of known, exploited weaknesses.
- PCI DSS v4.0 — Requirement 6.3 mandates that all system components are protected from known vulnerabilities by installing applicable security patches/updates.
- HIPAA — The Security Rule's Technical Safeguards require covered entities and business associates to guard against reasonably anticipated threats to ePHI — an actively exploited file-transfer vulnerability qualifies.
In short: if CISA has confirmed active exploitation, regulators under any of these frameworks will view unpatched Serv-U deployments as a control failure, not an oversight.
What You Should Do in the Next 7–30 Days
Within 7 days: 1. Inventory every Serv-U instance across on-premises, cloud, and third-party managed environments. Shadow IT deployments are the highest risk. 2. Apply the vendor-supplied patch as soon as it is available from SolarWinds. If a patch is not yet available, implement compensating controls — network segmentation, rate-limiting, and strict allowlist-based access to Serv-U ports. 3. Review Serv-U access logs for anomalous resource spikes, unusual authentication patterns, or unexpected outbound connections that could indicate prior compromise. 4. Notify your CISO and legal/compliance team so they can assess BOD 22-01 implications, contractual notification obligations, and any cyber-insurance reporting requirements.
Within 30 days: 1. Map the remediation to your compliance posture across NIS2, SOC 2, ISO 27001, HIPAA, and PCI DSS. Document patch deployment with timestamps — auditors will ask. 2. Run a targeted vulnerability scan post-patch to confirm remediation and close the finding in your risk register. 3. Update your continuous monitoring rules to alert on future KEV additions that touch your asset inventory automatically.
Start Your Free Trial and Let GoSOC AI Do the Heavy Lifting
RDS GoSOC AI maps every KEV addition, patch event, and anomaly directly to all 16 supported compliance frameworks — including NIS2, SOC 2, ISO 27001, HIPAA, and PCI DSS — so your team never has to manually cross-reference advisories again. Start a 14-day free trial at the GoSOC platform: every paid feature is fully unlocked from day one, and no credit card is required. Once you're inside, open the User Guide tab for a structured walkthrough, or ask Sage — the platform's AI assistant — to walk you through framework mapping and alert tuning for exactly this type of KEV-triggered event.