Critical SolarWinds and Cisco Vulnerabilities Are Being Actively Exploited — What Local Businesses Need to Do Right Now

Two serious security vulnerabilities are making the rounds this week, and both deserve your immediate attention if your business relies on managed file transfer software or Cisco networking gear. One has a patch ready and a government deadline attached to it. The other has no patch at all — and attackers are already using it.

Here's what's happening, who's at risk, and what to do about it.

Vulnerability #1: SolarWinds Serv-U — CVE-2026-28318

What Is SolarWinds Serv-U?

SolarWinds Serv-U is a managed file transfer (MFT) and secure file server platform — essentially software that lets organizations send, receive, and manage files securely over a network. It's commonly used by accounting firms, healthcare offices, legal practices, and any business that needs to move sensitive documents between staff, clients, or vendors in a controlled way.

What's the Flaw?

Security Affairs reports that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-28318 — carrying a CVSS 3.1 score of 7.5 (High) — to its Known Exploited Vulnerabilities (KEV) catalog.

This is an unauthenticated denial-of-service (DoS) vulnerability. That last word — unauthenticated — is the scary part. An attacker doesn't need a username, password, or any legitimate access to your system whatsoever. They simply send a specially crafted HTTP POST request using the Content-Encoding: deflate header, and the Serv-U service crashes. File transfers stop. The service goes dark for legitimate users.

According to The Hacker News, CISA classifies this as an "uncontrolled resource consumption vulnerability" — the server gets overwhelmed processing a malformed request it was never designed to handle gracefully.

Who Is Affected?

Any organization running SolarWinds Serv-U version 15.5.4 or earlier is vulnerable. The fix is Serv-U 15.5.4 HF1, which SolarWinds has already released.

How to Fix It

1. Log into your SolarWinds portal and check your current Serv-U version number.
2. Download and apply Serv-U 15.5.4 HF1 immediately.
3. If you cannot patch right now, The Hacker News notes that SolarWinds advises limiting access to known IP addresses and blocking any request containing the content-encoding header, since the vulnerable service doesn't require that functionality.
4. Additional mitigation guidance is available through the SolarWinds Trust Center.

The deadline for federal agencies is June 19, 2026 — per Security Affairs. That's a hard government deadline, but it's also a sensible target for any private organization. If you run Serv-U, treat next week as your personal deadline too.

It's also worth knowing that Serv-U has a history here: The Hacker News notes that multiple previous Serv-U flaws have been exploited by actors associated with the Cl0p ransomware gang. This platform is a well-known target.

Vulnerability #2: Cisco Catalyst SD-WAN — CVE-2026-20245 (No Patch Yet)

What Is Cisco Catalyst SD-WAN Manager?

SD-WAN (Software-Defined Wide Area Networking) technology is how many mid-sized and larger businesses manage their network connections across multiple locations — think a company with offices in several cities, or a business that needs to centrally manage connectivity for remote workers. Cisco's Catalyst SD-WAN Manager is the control hub for those deployments.

This is enterprise-grade networking equipment, but plenty of Yuba City-area businesses that have grown or have multi-site operations use Cisco gear — and if your managed IT provider set up your network, it's worth asking whether SD-WAN Manager is in the picture.

What's the Flaw?

Help Net Security reports that CVE-2026-20245 is a zero-day privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager's command-line interface — and there is currently no patch available.

The flaw stems from insufficient validation of user-supplied input. An authenticated, local attacker can exploit it by uploading a crafted file to the affected system and then execute arbitrary commands as root — meaning full, unrestricted control over the device.

Here's the attack chain Cisco described: to exploit CVE-2026-20245, an attacker first needs authenticated access. They can get that by exploiting one of two other vulnerabilities — CVE-2026-20182, observed being exploited as a zero-day in May 2026, or CVE-2026-20127, which has been leveraged by a "highly sophisticated" threat actor since 2023. Cisco has observed "limited cases where exploitation of this bug resulted in a configuration change pushed to edge devices" — meaning attackers potentially altered how network traffic flows across affected organizations.

The vulnerability affects all Cisco SD-WAN deployment types: on-premises, Cloud-Pro, Cloud (Cisco Managed), and Government (FedRAMP). The flaw was reported to Cisco by Mandiant.

What to Do Right Now (Without a Patch)

Since no fix exists yet, this one requires a different playbook:

1. Collect forensic evidence before doing anything else. Cisco specifically advises issuing the request admin-tech command from each control component in your SD-WAN deployment before upgrading any software. This preserves possible indicators of compromise.
2. Check for indicators of compromise using the specific log entries Cisco has documented in its advisory.
3. Upgrade to the fixed software referenced in the CVE-2026-20182 advisory — Cisco's current guidance while the CVE-2026-20245 patch is in development.
4. Verify the configuration of your edge devices to make sure no unauthorized changes were pushed.
5. If your logs show signs of compromise, a software update alone will not be enough. Per Help Net Security, Cisco says compromised systems require specific remediation steps provided directly by Cisco's Technical Assistance Center (TAC).

The Bigger Picture: Why These Two Vulnerabilities Together Matter

Both of these vulnerabilities share a theme that security professionals call chained exploitation — using one vulnerability to get a foothold, then using another to escalate privileges and do real damage. The Cisco situation literally requires chaining CVEs to pull off. And SolarWinds' history with Cl0p shows that MFT platforms are favorite targets precisely because they sit at the center of sensitive data movement.

For small businesses, the lesson is straightforward: the software running quietly in the background — file transfer servers, network management consoles — often gets less attention during routine maintenance. That's exactly where attackers look.

If your business uses either of these platforms and you're uncertain about your patch status or whether your systems show signs of compromise, we're happy to help you work through it at Computer Works. Sometimes a second set of eyes on your network is the fastest way to get clarity.

Quick Checklist

• SolarWinds Serv-U users: Check version number ? apply 15.5.4 HF1 immediately
• Can't patch Serv-U yet? Block content-encoding requests and restrict access to known IPs
• Cisco SD-WAN users: Run request admin-tech now to preserve logs
• Check Cisco logs for indicators of compromise before upgrading
• Follow CVE-2026-20182 advisory for current upgrade path
• Compromised system? Contact Cisco TAC — a patch alone won't clean it up

Stay current. These threats move fast, and the window between "actively exploited" and "widespread damage" keeps getting shorter.