CISA adds actively exploited SolarWinds Serv-U flaw to its known-exploited list

The U.S. Cybersecurity and Infrastructure Security Agency has added a high-severity flaw in SolarWinds' Serv-U multi-protocol file transfer server software to its Known Exploited Vulnerabilities catalog, a designation reserved for bugs that agencies have confirmed are already being used in real-world attacks. The vulnerability, tracked as CVE-2026-28318 with a CVSS severity score of 7.5, is a denial-of-service issue that can let an attacker disrupt the availability of affected file-transfer servers — a category of software that has repeatedly been targeted in past years because of how widely it's deployed inside corporate networks to move sensitive files between systems and partners. CISA's listing effectively starts a clock for U.S. federal civilian agencies, which are required under binding operational directives to patch catalogued vulnerabilities within a set window, and it also signals strongly to private-sector security teams that they should prioritize the fix even if they aren't legally obligated to. Security researchers have noted that file-transfer software has become an especially attractive target for ransomware groups in recent years, since compromising or disabling it can both disrupt business operations directly and serve as a foothold for deeper intrusions into an organization's broader network.