CISA Adds SolarWinds, Ivanti, and Workspace One Vulnerabilities to KEV Catalog
Executive Summary
In March 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation. These include CVE-2021-22054, a server-side request forgery in Omnissa Workspace One UEM; CVE-2025-26399, a deserialization flaw in SolarWinds Web Help Desk; and CVE-2026-1603, an authentication bypass in Ivanti Endpoint Manager. Exploitation of these vulnerabilities allows unauthorized access to sensitive information and remote code execution on affected systems. (thehackernews.com)
The inclusion of these vulnerabilities in the KEV catalog underscores the persistent threat posed by unpatched software flaws. Organizations are urged to apply the necessary patches promptly to mitigate potential risks associated with these actively exploited vulnerabilities.
Why This Matters Now
The active exploitation of these vulnerabilities highlights the critical need for organizations to prioritize timely patching and vulnerability management to protect against unauthorized access and potential system compromise.
Attack Path Analysis
The attacker exploited a deserialization vulnerability in SolarWinds Web Help Desk to gain initial access. They then escalated privileges by exploiting misconfigurations or additional vulnerabilities. Using these elevated privileges, the attacker moved laterally within the network to access critical systems. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated to external servers. Finally, the attacker deployed ransomware to encrypt data and disrupt operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the deserialization vulnerability (CVE-2025-26399) in SolarWinds Web Help Desk to execute arbitrary code on the host system.
Related CVEs
CVE-2021-22054
CVSS 7.5A server-side request forgery (SSRF) vulnerability in VMware Workspace ONE UEM allows a malicious actor with network access to send requests without authentication, potentially gaining access to sensitive information.
Affected Products:
VMware Workspace ONE UEM – < 21.2.0.3
Exploit Status:
exploited in the wildCVE-2025-26399
CVSS 9.8A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk allows an attacker to execute arbitrary commands on the host machine.
Affected Products:
SolarWinds Web Help Desk – < 12.7.8
Exploit Status:
exploited in the wildCVE-2026-1603
CVSS 7.5An authentication bypass vulnerability in Ivanti Endpoint Manager allows a remote unauthenticated attacker to leak specific stored credential data.
Affected Products:
Ivanti Endpoint Manager – < 2024.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Valid Accounts
Impair Defenses
Indicator Removal on Host
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face critical ransomware exposure through SolarWinds, Ivanti, and Workspace One vulnerabilities with mandatory CISA remediation deadlines for FCEB compliance.
Information Technology/IT
IT service providers managing enterprise infrastructure are prime ransomware targets via exploited help desk systems, endpoint managers, and workspace management platforms.
Health Care / Life Sciences
Healthcare organizations using affected endpoint management and help desk solutions face HIPAA compliance risks and potential patient data exfiltration from ransomware attacks.
Financial Services
Financial institutions leveraging SolarWinds and Ivanti systems face elevated ransomware threats targeting authentication bypass vulnerabilities and credential data exposure risks.
Sources
- CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploitedhttps://thehackernews.com/2026/03/cisa-flags-solarwinds-ivanti-and.htmlVerified
- CISA Adds Three Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalogVerified
- VMware Workspace ONE UEM SSRF (CVE-2021-22054) Patch Alerthttps://blogs.vmware.com/security/2022/04/workspace-one-uem-ssrf-cve-2021-22054-patch-alert.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF would likely have constrained the attacker's ability to move laterally and exfiltrate data, thereby reducing the overall impact of the incident.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the deserialization vulnerability may have been limited, reducing the likelihood of arbitrary code execution.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained, limiting their access to sensitive systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could have been restricted, reducing their ability to access additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been limited, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been constrained, limiting the amount of data transferred to external servers.
The attacker's ability to deploy ransomware may have been limited, reducing the extent of data encryption and operational disruption.
Impact at a Glance
Affected Business Functions
- IT Help Desk Operations
- Endpoint Management
- Network Security
Estimated downtime: 14 days
Estimated loss: $500,000
Potential exposure of sensitive organizational data, including user credentials and internal communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement and enforce least privilege access.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities like CVE-2025-26399.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of command and control or exfiltration.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Ensure regular patching and vulnerability management to address known exploits and reduce the attack surface.
