CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV
For federal civilian agencies, the listing turns an exploited Serv-U flaw into a BOD 22-01 remediation clock.
TL;DR
CISA added CVE-2026-28318, a SolarWinds Serv-U uncontrolled resource consumption vulnerability, to the Known Exploited Vulnerabilities Catalog after evidence of active exploitation. Federal Civilian Executive Branch agencies covered by Binding Operational Directive 22-01 must remediate KEV-listed flaws by CISA’s due date. The supplied alert text does not state the deadline or whether SolarWinds had issued a patch as of publication.
CISA’s June 5 alert is a routine KEV update with a real operational consequence: CVE-2026-28318 is no longer just a SolarWinds Serv-U vulnerability to track, it is an actively exploited flaw on CISA’s Known Exploited Vulnerabilities Catalog. Federal Civilian Executive Branch agencies subject to Binding Operational Directive 22-01 must remediate listed vulnerabilities by CISA’s due date. Teams running Serv-U outside the federal mandate should still treat the catalog entry as a prioritization signal, while checking the KEV record and SolarWinds guidance for the remediation deadline and available fixes.
Published ·Deep Fathom