On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took a proactive stance in safeguarding digital infrastructures by adding three significant security flaws to its Known Exploited Vulnerabilities (KEV) catalog. This decision was based on verified evidence pointing towards active exploitation of these vulnerabilities, emphasizing the agency’s commitment to enhancing cybersecurity across various platforms.
The vulnerabilities identified include:
-
CVE-2021-22054 (CVSS score: 7.5) – This flaw relates to a server-side request forgery (SSRF) vulnerability within the Omnissa Workspace One Unified Endpoint Management (UEM) system, previously known as VMware Workspace One UEM. It allows malicious individuals who have network access to the UEM to send requests without proper authentication, potentially leading to unauthorized access to sensitive information. The implications of such a breach could be severe for organizations relying on this platform for endpoint management.
-
CVE-2025-26399 (CVSS score: 9.8) – This high-risk vulnerability is found in the AjaxProxy component of the SolarWinds Web Help Desk. It is a deserialization flaw that enables attackers to execute commands on the host machine, raising significant alarms about the potential for extensive damage. The threat level of this vulnerability is underscored by emerging reports from both Microsoft and Huntress, which indicate that it is being actively exploited. The activity surrounding this vulnerability is believed to be linked to the Warlock ransomware group, which has been identified as a rising threat in the cybersecurity landscape.
- CVE-2026-1603 (CVSS score: 8.6) – This vulnerability concerns an authentication bypass in the Ivanti Endpoint Manager, which allows a remote, unauthenticated attacker to leak specific stored credential data. While details on how this flaw is being utilized in real-world attacks remain unclear, its potential for serious security breaches cannot be overstated. As of now, Ivanti has not updated its security bulletin regarding the exploitation status of this vulnerability, leaving organizations in the dark about the immediate risks they face.
The entry of CVE-2025-26399 into the KEV catalog comes as no surprise, given the mounting evidence of exploitation involving SolarWinds Web Help Desk. This product has been on security analysts’ radar due to its vulnerability to attacks, and the activity has reportedly escalated, confirming the need for urgent awareness and remedial measures among system administrators.
Moreover, CVE-2021-22054 was flagged by security firm GreyNoise in early March 2025, highlighting that it was being exploited in conjunction with multiple other SSRF vulnerabilities as part of a coordinated cyberattack campaign. This coordinated exploitation reveals a worrying trend where attackers leverage various vulnerabilities simultaneously, increasing their chances of breaching defenses and compromising sensitive data.
To mitigate the risks posed by these vulnerabilities, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to act swiftly. Agencies are mandated to implement corrective measures for the SolarWinds Web Help Desk vulnerability by March 12, 2026, followed by the other two flaws by March 23, 2026. This timeline underscores the urgency of the situation and the importance of adhering to the recommended security protocols to protect federal infrastructure from potential exploitation.
CISA highlighted the pressing nature of such vulnerabilities, asserting that they frequently serve as attack vectors for malicious cyber actors. The agency has emphasized that the risks posed by these vulnerabilities are significant, especially for the federal enterprise, which relies on robust cybersecurity measures to protect sensitive information.
As the cybersecurity landscape continues to evolve with increasing threats, the role of agencies like CISA becomes ever more critical. By alerting organizations to these vulnerabilities and enforcing compliance with security measures, CISA aims to bolster defenses against the relentless tide of cyber threats that face both the public and private sectors. Ensuring prompt action against these vulnerabilities will be crucial in maintaining cybersecurity integrity and protecting against the growing sophistication of cybercriminal activities.