The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that they are currently being exploited in real-world attacks.

The newly listed vulnerabilities affect SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Omnissa Workspace One UEM (formerly VMware Workspace One UEM).

Vulnerabilities Added to the KEV Catalog

CVE-2021-22054 (CVSS 7.5)
A Server-Side Request Forgery (SSRF) vulnerability in Omnissa Workspace One UEM. The flaw allows attackers with network access to the UEM system to send unauthenticated requests and potentially access sensitive information.

CVE-2025-26399 (CVSS 9.8)
A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk. Successful exploitation allows attackers to execute arbitrary commands on the host system.

CVE-2026-1603 (CVSS 8.6)
An authentication bypass vulnerability in Ivanti Endpoint Manager that allows a remote unauthenticated attacker to access and leak stored credential data.

SolarWinds Exploitation Linked to Ransomware Activity

The addition of CVE-2025-26399 follows reports from Microsoft and cybersecurity firm Huntress that threat actors are actively exploiting vulnerabilities in SolarWinds Web Help Desk to gain initial access to targeted systems.

Researchers believe the attacks are connected to the Warlock ransomware group, which is leveraging the vulnerability to compromise networks.

Workspace One SSRF Exploited in Wider Campaign

The CVE-2021-22054 vulnerability was previously flagged by GreyNoise in March 2025. Researchers observed attackers exploiting it alongside other SSRF vulnerabilities across different products as part of a coordinated attack campaign.

Limited Details on Ivanti Exploit

Currently, there are no public details explaining how the CVE-2026-1603 vulnerability in Ivanti Endpoint Manager is being exploited in the wild. Additionally, Ivanti’s official security advisory has not yet been updated to confirm active exploitation.

Federal Agencies Given Patch Deadlines

To mitigate the risks posed by these actively exploited vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies have been instructed to apply patches within strict deadlines:

  • SolarWinds Web Help Desk vulnerability (CVE-2025-26399): Patch by March 12, 2026
  • Workspace One and Ivanti vulnerabilities: Patch by March 23, 2026

CISA warned that vulnerabilities like these remain common entry points for cyber attackers and can pose significant risks to government and enterprise networks if left unpatched.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA stated.

  Don’t miss updates! Follow us on Twitter Facebook. 🔔