The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security vulnerabilities affecting widely used enterprise software to its Known Exploited Vulnerabilities (KEV) catalogue after confirming active exploitation in the wild.
The newly listed flaws impact Omnissa Workspace One UEM, SolarWinds Web Help Desk and Ivanti Endpoint Manager.
The vulnerabilities include:
- CVE-2021-22054 (CVSS score: 7.5) – A server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM, formerly VMware Workspace One UEM. The flaw could allow a malicious actor with network access to send unauthenticated requests to the system and potentially access sensitive information.
- CVE-2025-26399 (CVSS score: 9.8) – A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk. Exploiting this flaw could allow attackers to execute commands directly on the host machine.
- CVE-2026-1603 (CVSS score: 8.6) – An authentication bypass vulnerability in Ivanti Endpoint Manager that allows attackers to access stored credential data through an alternate path or channel without authentication.
The addition of CVE-2025-26399 follows reports from Microsoft and cybersecurity firm Huntress that attackers are actively exploiting SolarWinds Web Help Desk vulnerabilities to gain initial access to networks. Researchers believe the activity is linked to the Warlock ransomware group.
The SSRF vulnerability CVE-2021-22054 had earlier been flagged by cybersecurity firm GreyNoise in March 2025. Researchers observed the flaw being exploited alongside similar vulnerabilities in other products as part of a coordinated campaign.
Meanwhile, there are currently limited details on how the Ivanti vulnerability CVE-2026-1603 is being used in attacks. However, cybersecurity firm Defused Cyber said last month that it had observed active exploitation attempts targeting the flaw.
According to the report, the activity originated from the IP address 103.69.224[.]98.
As of now, Ivanti has not updated its security advisory to reflect active exploitation and said it is not aware of any customers being compromised through the vulnerability.
Following the KEV update, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply patches for the SolarWinds Web Help Desk vulnerability by March 12, 2026, while fixes for the Workspace One and Ivanti vulnerabilities must be applied by March 23, 2026.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
