THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-06-F1
CYBER · cves zero days · 2026-06-06SCOOP 56

CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash file-transfer servers

CISA added CVE-2026-28318, a SolarWinds Serv-U denial-of-service flaw under active exploitation, to its Known Exploited Vulnerabilities catalog late Friday, ordering federal civilian agencies to remediate by June 19 unde.

·FILED ISSUE 2026-06-06·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • CISA added CVE-2026-28318 to the KEV catalog on June 5 with an FCEB remediation deadline of June 19
  • Unauthenticated attackers can crash Serv-U remotely via POST requests with a Content-Encoding: deflate header (CVSS 7.5, CWE-400)
  • SolarWinds released Serv-U 15.5.4 Hotfix 1 on June 4; EOL versions 15.4.2, 15.5 and 15.5.1 are also affected
  • CISA confirmed active exploitation but attackers are unidentified, with no known ransomware involvement
  • Shodan tracks more than 12,000 Serv-U servers exposed online

VERDICT — CONFIRMED

curated-2src confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash file-transfe
Cybersecurity News

CISA added CVE-2026-28318, a SolarWinds Serv-U denial-of-service flaw under active exploitation, to its Known Exploited Vulnerabilities catalog late Friday, ordering federal civilian agencies to remediate by June 19 under Binding Operational Directive 22-01 as coverage spread through the weekend. The uncontrolled resource consumption bug (CWE-400, CVSS 7.5) lets unauthenticated attackers remotely crash Serv-U file-transfer services by sending specially crafted HTTP POST requests carrying a "Content-Encoding: deflate" header.

SolarWinds had released Serv-U 15.5.4 Hotfix 1 a day earlier, on Thursday June 4; the flaw affects Serv-U 15.5.4 as well as end-of-life versions 15.4.2, 15.5 and 15.5.1. CISA confirmed in-the-wild exploitation but provided no detail on the attackers, and there is no indication so far of ransomware gangs leveraging the bug.

Shodan shows more than 12,000 Serv-U servers exposed on the internet, underscoring the available attack surface. SecurityWeek noted it remains unclear who is behind the attacks, while researchers urged administrators to patch immediately and monitor for anomalous POST requests using the deflate header.

Why it matters

an actively exploited crash bug in managed file-transfer software draws an emergency federal deadline because the file-transfer tier — from MOVEit to GoAnywhere — has become the extortion economy's favorite point of leverage, making any exploited Serv-U flaw a potential precursor to worse.

Key facts on file

  • CISA added CVE-2026-28318 to the KEV catalog on June 5 with an FCEB remediation deadline of June 19
  • Unauthenticated attackers can crash Serv-U remotely via POST requests with a Content-Encoding: deflate header (CVSS 7.5, CWE-400)
  • SolarWinds released Serv-U 15.5.4 Hotfix 1 on June 4; EOL versions 15.4.2, 15.5 and 15.5.1 are also affected
  • CISA confirmed active exploitation but attackers are unidentified, with no known ransomware involvement
  • Shodan tracks more than 12,000 Serv-U servers exposed online

OFFICIAL RECORD

CISA (Known Exploited Vulnerabilities catalog)
— (2026-06-05) · fetched at filing · archived at publication

Sources · two-source rule

CORROB.Cybersecurity News— (2026-06-06)
CORROB.SecurityWeek— Ionut Arghire (2026-06-08)
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-06-f1 · filed 2026-06-06 · https://thedwire.com/wire/cyb-2026-06-06-f1-cisa-orders-agencies-to-patch-solarwinds-serv-u-flaw-being.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root
CYBER · SCOOP 82

Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root on Catalyst SD-WAN Manager; no patch

Cisco disclosed CVE-2026-20245 on June 5, 2026, a privilege-escalation/command-injection zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager, the seventh SD-WAN zero-day Cisco has confirmed exploited in 2026. The flaw stems from insufficient validation of user-supplied input: an authenticated attacker holding 'netadmin

✓ verifiedSOURCE ↗
READ THE FILE ›
May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The
CYBER · SCOOP 68

May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The Gentlemen (71), DragonForce (51) lead

Ransomware leak-site activity rose modestly in May 2026, with 661 incidents tracked globally (Comparitech data via Industrial Cyber), a 3% increase over April's 640, and nearly 115 TB of data claimed stolen across reported attacks. Qilin remained the most active operation with 97 claimed attacks, though down about 10% from April's 108; Th

✓ verifiedSOURCE ↗
READ THE FILE ›
Meta, Microsoft and DOJ-led strike force dismantles Southeast Asian scam-center
Meta
CYBER · SCOOP 71

Meta, Microsoft and DOJ-led strike force dismantles Southeast Asian scam-center infrastructure; 63 arrested

Meta, Microsoft, Coinbase, SpaceX and other technology companies announced a joint disruption of criminal scam networks in Southeast Asia alongside the U.S. Department of Justice, the FBI and the Royal Thai Police, in coordinated operations spanning Washington, D.C. and Bangkok. The action, unveiled overnight into June 4, followed the fir

✓ verifiednewSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.