CISA has added CVE‑2026‑28318, the SolarWinds Serv‑U Uncontrolled Resource Consumption Vulnerability, to its Known Exploited Vulnerabilities catalogue. The flaw affects SolarWinds Serv‑U and can be triggered by unauthenticated, specially crafted POST requests that include a Content‑Encoding: deflate header, causing the Serv‑U service to crash.
The vulnerability is an uncontrolled resource consumption issue that leads to a denial‑of‑service condition. It carries a CVSS v3.1 base score of 7.5, rated HIGH, and can be exploited remotely without authentication. SolarWinds has released a patch and an advisory detailing the necessary mitigations.
Active exploitation has been observed, which is why the entry was placed in the KEV catalogue; there is no publicly known ransomware campaign leveraging this flaw at present. CISA has set a remediation deadline of 19 June 2026 for federal civilian executive branch (FCEB) agencies to address the issue.
CISA requires FCEB agencies to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations cannot be applied. All organisations should review their exposure to SolarWinds Serv‑U and implement the recommended actions promptly.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-28318 and the CISA KEV catalogue.