The Cybersecurity and Infrastructure Security Agency (CISA) has officially added three newly identified security vulnerabilities affecting SolarWinds, Ivanti, and Omnissa products to its Known Exploited Vulnerabilities (KEV) catalog after confirming that attackers are actively exploiting them.
The KEV catalog is maintained by CISA to highlight vulnerabilities that are currently being used in real world cyber attacks, allowing organizations to prioritize patching and mitigation.
Vulnerabilities Added to the KEV Catalog
The three vulnerabilities identified by CISA include the following.
Workspace One SSRF Vulnerability
The first flaw, CVE-2021-22054 (CVSS score 7.5), affects Workspace One UEM, previously known as VMware Workspace One UEM.
This issue is classified as a Server Side Request Forgery (SSRF) vulnerability. Attackers who already have network level access to the UEM environment could exploit the flaw to send unauthorized requests to internal services without authentication. Such access may allow attackers to retrieve sensitive data stored within the system.
SolarWinds Web Help Desk Remote Command Execution
Another critical vulnerability, CVE-2025-26399 (CVSS score 9.8), impacts SolarWinds Web Help Desk.
The flaw originates in the AjaxProxy component, where untrusted data is improperly handled during the deserialization process. Exploiting this weakness could allow attackers to execute arbitrary commands directly on the host machine.
Security reports from Microsoft and Huntress indicate that threat actors are already leveraging this vulnerability to gain initial access to targeted systems. The activity is believed to be linked to the Warlock ransomware group.
Ivanti Endpoint Manager Authentication Bypass
https://sctocs.com/cisa-adds-solarwinds-web-help-desk-rce-kev/The third vulnerability, CVE-2026-1603 (CVSS score 8.6), affects Ivanti Endpoint Manager.
This flaw allows attackers to bypass authentication by exploiting alternate paths or communication channels. A remote attacker who is not authenticated could potentially access stored credential data from the system.
Currently, there is limited public information regarding how this vulnerability is being actively used in attacks.
Previous Exploitation Activity
Security monitoring platform GreyNoise previously reported that CVE-2021-22054 was exploited in March 2025 as part of a broader campaign that targeted multiple SSRF vulnerabilities across different enterprise products.
This coordinated activity suggested that attackers were scanning for and exploiting several SSRF flaws simultaneously to gain access to enterprise infrastructure.
Federal Patch Deadlines
Due to the confirmed exploitation risk, CISA has issued remediation deadlines for U.S. federal agencies.
Organizations within the Federal Civilian Executive Branch must apply the security patch for SolarWinds Web Help Desk no later than March 12, 2026, while patches for the other two vulnerabilities must be implemented by March 23, 2026.
According to CISA, vulnerabilities of this nature frequently serve as entry points for cybercriminals and represent a serious threat to government networks and infrastructure.
Security Implications
The addition of these vulnerabilities to the KEV catalog highlights the ongoing risk posed by enterprise software flaws that can be exploited remotely.
Security teams are advised to prioritize patching affected systems immediately, monitor networks for suspicious activity, and apply recommended security updates to reduce the risk of compromise.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
