The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
The vulnerability list is as follows:
CVE-2021-22054 (CVSS Score: 7.5) – A server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) could allow a malicious attacker with network access to UEM to send requests without authentication and access sensitive information. CVE-2025-26399 (CVSS Score: 9.8) – Deserialization untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk could allow an attacker to execute commands on the host machine. CVE-2026-1603 (CVSS Score: 8.6) – Authentication bypass using an alternate path or channel vulnerability in Ivanti Endpoint Manager could allow a remote, unauthenticated attacker to disclose certain stored credential data.
The addition of CVE-2025-26399 follows reports from Microsoft and Huntress that threat actors are exploiting security flaws in the SolarWinds Web Help Desk to gain initial access. This activity is believed to be the work of the Warlock ransomware team.
Meanwhile, CVE-2021-22054 was reported by GreyNoise in March 2025 as being exploited along with several other SSRF vulnerabilities in other products as part of a coordinated campaign.
At this time, details about how CVE-2026-1603 is actually weaponized are unknown. At the time of writing, Ivanti’s security bulletin has not been updated to reflect the exploit.
To combat the risks posed by active threats, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply patches to the SolarWinds Web Help Desk by March 12, 2026, and two others by March 23, 2026.
“These types of vulnerabilities are frequent attack vectors for malicious cyber attackers and pose significant risks to federal enterprises,” CISA said.
Source link
