SolarWinds Serv-U contains a high-severity unauthenticated denial-of-service vulnerability (CVE-2026-28318) with confirmed active exploitation and CISA KEV listing. A single malformed HTTP POST request crashes the Serv-U service process with no authentication required. Federal agencies face a hard remediation deadline of June 19, 2026; all other organizations should treat this as a patch-now event given Serv-U’s historical targeting by ransomware groups.