A high-severity denial-of-service vulnerability (CVE-2026-28318, CVSS 7.5) in SolarWinds Serv-U file transfer software is being actively exploited. Attackers can crash the Serv-U service via low-complexity, unauthenticated POST requests. Affected versions are Serv-U prior to version 15.5.4, and organizations must upgrade to Serv-U 15.5.4 immediately; CISA has mandated federal agencies to patch by June 19 and urges all other entities to apply mitigations or discontinue use if patching is not possible.
Vulnerability Management Hackers actively exploit SolarWinds Serv-U flaw to crash servers, CISA warns June 5, 2026 Share By SC Staff (Adobe Stock) Hackers are actively exploiting a recently patched high-severity SolarWinds Serv-U flaw, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today. The vulnerability allows attackers to crash servers through specially crafted requests, with further coverage provided by Bleeping Computer. The vulnerability, tracked as CVE-2026-28318, is a denial-of-service flaw in SolarWinds Serv-U file transfer software. Attackers can exploit it with low-complexity, unauthenticated POST requests that cause the Serv-U service to crash. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog and mandated federal agencies to patch by June 19. While the mandate applies to U.S. government agencies, CISA urges all organizations, including the private sector, to apply mitigations or discontinue use if unavailable. This Serv-U flaw follows a history of vulnerabilities in SolarWinds products being exploited by various threat actors, including ransomware gangs and state-sponsored groups, highlighting the ongoing risks associated with unpatched software in critical infrastructure. Source: Bleeping Computer SC Staff Related Vulnerability Management Critical Redis vulnerability CVE-2026-23479 allows remote code execution SC Staff June 4, 2026 The vulnerability, rated 8.8 by CVSS 3.1 and 7.7 by CVSS 4.0, resides in the unblockClientOnKey() function within src/blocked.c. Vulnerability Management Critical vulnerability in Hugging Face Transformers library allowed arbitrary code execution SC Staff June 4, 2026 The vulnerability, tracked as CVE-2026-4372, was exploitable through a standard model-loading command, even when Hugging Face’s recommended security setting "trust_remote_code=False" was enabled. Vulnerability Management 9.8 Mirasvit bug actively exploited on Magento servers Steve Zurier June 4, 2026 CISA warns of an actively exploited Magento extension flaw that enables remote code execution. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds