CISA Warns of Active Exploitation of SolarWinds Serv-U Vulnerability: NIS2 and DORA Compliance Implications

Introduction

On June 4, 2026, SolarWinds released a hotfix for a high-severity denial-of-service (DoS) vulnerability in its Serv-U managed file transfer (MFT) software, tracked as CVE-2026-28318. Days later, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog, warning that hackers are actively exploiting it to crash servers. This incident serves as a stark reminder of the persistent threat posed by supply chain vulnerabilities and the critical importance of robust incident reporting and vulnerability management under the EU's NIS2 Directive and Digital Operational Resilience Act (DORA).

Incident Overview: CVE-2026-28318 and Active Exploitation

CVE-2026-28318 is a denial-of-service vulnerability in SolarWinds Serv-U that allows an unauthenticated remote attacker to crash the service by sending specially crafted POST requests with Content-Encoding: deflate. The vulnerability affects all versions prior to Serv-U 15.5.4 Hotfix 1, which SolarWinds released on June 4, 2026. As a workaround, SolarWinds recommends blocking POST requests with the content-encoding header.

CISA added CVE-2026-28318 to its KEV catalog on June 12, 2026, ordering federal agencies to patch by June 19 under Binding Operational Directive (BOD) 22-01. The agency also urged private sector organizations to secure their networks. According to CISA, over 12,000 Serv-U servers are exposed online, presenting a significant attack surface. This is not the first time SolarWinds vulnerabilities have been exploited; previous Serv-U flaws have been targeted by ransomware gangs and state-backed hackers.

NIS2 and DORA Compliance Obligations

The SolarWinds Serv-U vulnerability directly intersects with two key EU regulatory frameworks: the NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554). Both impose strict requirements on incident reporting, vulnerability management, and supply chain security.

NIS2: Incident Reporting and Vulnerability Management

NIS2 applies to essential and important entities across 18 sectors, including energy, transport, health, digital infrastructure, and ICT service management. Under NIS2, organizations must:

• Report significant incidents to national competent authorities within 24 hours (early warning), followed by a more detailed notification within 72 hours.
• Implement risk management measures that include vulnerability handling and disclosure, supply chain security, and incident response.
• Ensure management accountability for cybersecurity risk management.

The exploitation of CVE-2026-28318, which can cause service unavailability, likely qualifies as a significant incident under NIS2, triggering mandatory reporting obligations. Entities using SolarWinds Serv-U should have a process to detect such exploitation and report it within the required timelines.

DORA: Incident Reporting and ICT Risk Management

DORA applies to financial entities including banks, insurers, investment firms, and crypto-asset service providers from January 17, 2025. DORA requires:

• ICT-related incident reporting with initial notification, intermediate report, and final report within specific timelines.
• ICT risk management framework covering identification, protection, detection, response, and recovery.
• Third-party ICT risk management including assessment of vendors like SolarWinds.
• Digital operational resilience testing including vulnerability scanning and patch management.

A DoS vulnerability like CVE-2026-28318 that affects a widely used file transfer tool could disrupt critical financial operations. Under DORA, financial entities must have mechanisms to identify such vulnerabilities, apply patches, and report incidents promptly.

Steps for Compliance: Patch Management, Incident Response, and Vendor Risk Assessment

To align with NIS2 and DORA requirements, organizations should take the following steps in response to CVE-2026-28318 and similar supply chain vulnerabilities.

1. Patch Management

• Immediately apply the hotfix provided by SolarWinds (Serv-U 15.5.4 Hotfix 1) to all affected systems.
• Implement the workaround (blocking POST requests with content-encoding) if patching is delayed.
• Establish a vulnerability management process that includes monitoring CISA's KEV catalog and vendor advisories, prioritizing patching based on risk.

2. Incident Response Plan

• Update incident response playbooks to include scenarios like exploitation of file transfer vulnerabilities.
• Ensure detection capabilities can identify anomalous POST requests or DoS conditions related to Serv-U.
• Practice reporting procedures to meet NIS2's 24-hour early warning and DORA's initial notification timelines.

3. Vendor Risk Assessment

• Assess SolarWinds as a critical vendor under NIS2 and DORA third-party risk management requirements.
• Review contractual clauses for breach notification and patch support.
• Monitor supply chain risk continuously, including geopolitical factors that may increase targeting of certain vendors.

Key Takeaways

• CVE-2026-28318 is a high-severity DoS vulnerability in SolarWinds Serv-U, actively exploited by attackers. Patch to version 15.5.4 Hotfix 1 immediately.
• NIS2 and DORA impose strict incident reporting timelines (24-hour early warning under NIS2; initial notification under DORA) and require robust vulnerability and supply chain risk management.
• Organizations must integrate vendor vulnerability alerts into their compliance monitoring and incident response processes.
• Supply chain security is a shared responsibility; ongoing assessment of vendors like SolarWinds is essential for regulatory compliance.

How AIGovHub Can Help

Managing supply chain risk and incident reporting across multiple regulatory frameworks can be complex. AIGovHub's SENTINEL module provides real-time geopolitical intelligence and vendor risk monitoring, including tracking of vulnerabilities like CVE-2026-28318. The CCM module enables continuous compliance monitoring with automated controls testing and evidence collection, helping organizations demonstrate adherence to NIS2 and DORA requirements. Explore how AIGovHub can streamline your compliance journey.

This content is for informational purposes only and does not constitute legal advice.