CISA Identifies Active Exploitation of Vulnerabilities in SolarWinds, Ivanti, and Workspace One
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added three critical security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation by malicious actors. These vulnerabilities affect widely used enterprise solutions, posing significant risks to organizations across various sectors.
Detailed Overview of the Vulnerabilities:
1. CVE-2021-22054 (CVSS Score: 7.5): This server-side request forgery (SSRF) vulnerability exists in Omnissa Workspace One UEM, previously known as VMware Workspace One UEM. An attacker with network access can exploit this flaw to send unauthorized requests, potentially accessing sensitive information without authentication. The exploitation of this vulnerability was first observed in March 2025, when GreyNoise reported its use alongside other SSRF vulnerabilities in coordinated attacks.
2. CVE-2025-26399 (CVSS Score: 9.8): Found in the AjaxProxy component of SolarWinds Web Help Desk, this vulnerability involves the deserialization of untrusted data. Exploitation allows attackers to execute arbitrary commands on the host machine. Recent reports from Microsoft and Huntress indicate that threat actors, notably the Warlock ransomware group, are actively leveraging this flaw to gain initial access to systems.
3. CVE-2026-1603 (CVSS Score: 8.6): This authentication bypass vulnerability affects Ivanti Endpoint Manager. It enables remote, unauthenticated attackers to leak specific stored credential data. While detailed exploitation methods remain unclear, there have been observations of active probing targeting this vulnerability. As of now, Ivanti has not updated its security bulletin to reflect active exploitation status.
Implications and Recommendations:
The active exploitation of these vulnerabilities underscores the persistent threats facing enterprise systems. Such vulnerabilities are common attack vectors for cyber adversaries, posing substantial risks to organizational security.
In response, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies implement patches for these vulnerabilities within specified deadlines:
– SolarWinds Web Help Desk (CVE-2025-26399): Patch by March 12, 2026.
– Omnissa Workspace One UEM (CVE-2021-22054) and Ivanti Endpoint Manager (CVE-2026-1603): Patch by March 23, 2026.
Organizations utilizing these products are strongly advised to prioritize the application of these patches to mitigate potential exploitation risks. Regularly updating software and monitoring for unusual network activity are crucial steps in maintaining robust cybersecurity defenses.
