These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-28318 is a HIGH severity vulnerability in SolarWinds Serv-U, classified as Uncontrolled Resource Consumption with a CVSS score of 7.5. It was published on 2026-06-05 and added to the CISA Known Exploited Vulnerabilities catalog on the same day, with a due date for mitigations of 2026-06-19. The vulnerability is described as an Uncontrolled Resource Consumption issue in SolarWinds Serv-U.
CVE-2025-26399 is a SolarWinds Web Help Desk deserialization of untrusted data vulnerability that CISA has added to its Known Exploited Vulnerabilities catalog. Because it is officially flagged as known exploited, organizations should treat it as an urgent remediation item and follow the vendor guidance referenced by CISA.
CVE-2025-40536 is a SolarWinds Web Help Desk security control bypass vulnerability that CISA added to its Known Exploited Vulnerabilities (KEV) catalog on 2026-02-12. KEV inclusion means CISA has determined the issue is being actively exploited or has been exploited in the wild. Organizations using Web Help Desk should treat this as a high-priority remediation item and follow vendor instructions immediately.
CVE-2025-40551 is a SolarWinds Web Help Desk deserialization of untrusted data issue that CISA added to its Known Exploited Vulnerabilities catalog on 2026-02-03. Because CISA has set a remediation due date of 2026-02-06, organizations using the product should treat this as a time-sensitive remediation item and follow vendor guidance immediately.
CVE-2024-28987 is a SolarWinds Web Help Desk hardcoded credential vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2024-10-15. That KEV designation means CISA considers it actively exploited in the wild. CISA’s guidance for KEV entries is to apply vendor mitigations or discontinue use of the product if mitigations are unavailable.
CVE-2024-28986 affects SolarWinds Web Help Desk and is listed by CISA in the Known Exploited Vulnerabilities catalog. Because CISA added it to KEV on 2024-08-15 and set a remediation due date of 2024-09-05, organizations should treat it as a high-priority defensive issue and follow vendor guidance immediately.
CVE-2024-28995 is a SolarWinds Serv-U path traversal vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2024-07-17. Because it is listed as known to be exploited, organizations using Serv-U should treat it as a priority issue and follow vendor guidance or discontinue use if mitigations are unavailable.
CVE-2021-35247 is a SolarWinds Serv-U improper input validation vulnerability that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on 2022-01-21. The KEV listing means CISA considered it actively exploited and set a remediation due date of 2022-02-04. The supplied corpus does not include a CVSS score, so defensive prioritization should be driven by the KEV status and vendor guidance rath [truncated]
CVE-2021-35211 is a SolarWinds Serv-U remote code execution vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2021-11-03. CISA marked it as known to be used in ransomware campaigns and directed affected organizations to apply updates per vendor instructions. Because it is in KEV, this issue should be treated as an active exposure rather than a routine patch item.
CVE-2020-10148 is a SolarWinds Orion authentication bypass vulnerability that CISA lists in its Known Exploited Vulnerabilities catalog. Because it is flagged as known exploited, affected Orion deployments should be treated as urgent patch-and-verify items, following vendor update guidance.
CVE-2016-3643 is a SolarWinds Virtualization Manager privilege escalation vulnerability that CISA lists in its Known Exploited Vulnerabilities catalog. Based on the supplied corpus, the key defensive takeaway is that this issue is treated as known exploited and should be prioritized for patching according to vendor guidance. The source record was published and modified on 2021-11-03 in the KEV feed, which [truncated]