CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited
Source: The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog on March 9 2026, based on evidence of active exploitation.
Newly Added Vulnerabilities
| CVE | CVSS | Product | Description |
|---|---|---|---|
| CVE-2021-22054 | 7.5 | Omnissa Workspace ONE UEM (formerly VMware Workspace ONE UEM) | Server‑side request forgery (SSRF) that allows an attacker with network access to send unauthenticated requests and potentially retrieve sensitive information. |
| CVE-2025-26399 | 9.8 | SolarWinds Web Help Desk (AjaxProxy component) | Deserialization of untrusted data that can lead to remote command execution on the host machine. |
| CVE-2026-1603 | 8.6 | Ivanti Endpoint Manager | Authentication bypass via an alternate path/channel, enabling a remote unauthenticated attacker to leak specific stored credential data. |
Context and Exploitation Activity
-
SolarWinds Web Help Desk (CVE‑2025‑26399) – Recent reports from Microsoft and Huntress indicate that threat actors are actively exploiting this flaw to gain initial access, with the activity attributed to the Warlock ransomware group.
Reference: The Hacker News – SolarWinds exploitation -
Workspace ONE UEM (CVE‑2021‑22054) – GreyNoise flagged this vulnerability in March 2025 as being exploited alongside other SSRF bugs in a coordinated campaign.
Reference: The Hacker News – SSRF campaign -
Ivanti Endpoint Manager (CVE‑2026‑1603) – No public details are yet available on how this vulnerability is being weaponized. Ivanti’s security bulletin has not been updated to reflect an exploitation status.
Reference: Ivanti Security Advisory
Mitigation and Agency Requirements
Federal Civilian Executive Branch (FCEB) agencies have been ordered to:
- Apply the fix for SolarWinds Web Help Desk by March 12 2026.
- Apply the fixes for Workspace ONE UEM and Ivanti Endpoint Manager by March 23 2026.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” – CISA.