Executive Summary
On March 9, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation. These vulnerabilities include CVE-2021-22054, a Server-Side Request Forgery (SSRF) in VMware Workspace ONE UEM; CVE-2025-26399, an unauthenticated deserialization flaw in SolarWinds Web Help Desk's AjaxProxy component; and CVE-2026-1603, an authentication bypass in Ivanti Endpoint Manager (EPM). Each of these flaws presents significant risks, such as unauthorized access, remote code execution, and credential disclosure, potentially leading to full enterprise compromise.
The inclusion of these vulnerabilities in the KEV Catalog underscores the persistent threat posed by unpatched software. Organizations are urged to prioritize remediation efforts to mitigate the risks associated with these actively exploited vulnerabilities.
Why This Matters Now
The active exploitation of these vulnerabilities highlights the critical need for organizations to promptly address known security flaws. Delayed remediation can lead to severe consequences, including data breaches and operational disruptions.
Attack Path Analysis
The attacker exploited an unauthenticated deserialization vulnerability in SolarWinds Web Help Desk (CVE-2025-26399) to execute arbitrary code on the host system. This initial access allowed the attacker to escalate privileges by manipulating system processes and configurations. Subsequently, the attacker moved laterally within the network, accessing other systems and sensitive data. They established a command and control channel to maintain persistent access and control over compromised systems. The attacker exfiltrated sensitive data from the network to external servers. Finally, they deployed ransomware to encrypt critical files, disrupting business operations.
Kill Chain Progression
Initial Compromise
Description
Exploited CVE-2025-26399 in SolarWinds Web Help Desk to achieve remote code execution.
Related CVEs
CVE-2021-22054
CVSS 7.5A server-side request forgery (SSRF) vulnerability in VMware Workspace ONE UEM console versions 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 allows a malicious actor with network access to UEM to send requests without authentication and gain access to sensitive information.
Affected Products:
VMware Workspace ONE UEM – 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, 21.5.0 prior to 21.5.0.37
Exploit Status:
exploited in the wildCVE-2025-26399
CVSS 9.8An unauthenticated AjaxProxy deserialization remote code execution vulnerability in SolarWinds Web Help Desk allows an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
Affected Products:
SolarWinds Web Help Desk – prior to 12.8.7 Hotfix 1
Exploit Status:
exploited in the wildCVE-2026-1603
CVSS 7.5An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Affected Products:
Ivanti Endpoint Manager – prior to 2024 SU5
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
External Remote Services
Command and Scripting Interpreter
Abuse Elevation Control Mechanism
Impair Defenses
Indicator Removal on Host
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation under BOD 22-01 for Omnissa, SolarWinds, and Ivanti vulnerabilities with active exploitation targeting government infrastructure.
Information Technology/IT
IT service providers managing Workspace ONE, Web Help Desk, and Endpoint Manager systems require immediate patching to prevent server-side request forgery and authentication bypass attacks.
Health Care / Life Sciences
Healthcare organizations using affected enterprise management platforms face HIPAA compliance risks through potential data exfiltration and unauthorized system access vulnerabilities.
Financial Services
Financial institutions must prioritize KEV catalog remediation to maintain regulatory compliance and prevent exploitation of endpoint management and help desk authentication vulnerabilities.
Sources
- CISA Adds Three Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalogVerified
- VMware Security Advisory VMSA-2021-0029https://www.vmware.com/security/advisories/VMSA-2021-0029.htmlVerified
- SolarWinds Security Advisory for CVE-2025-26399https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399Verified
- Ivanti Security Advisory for CVE-2026-1603https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_USVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the attacker's ability to move laterally, escalate privileges, and exfiltrate data, thereby reducing the overall impact of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial exploitation may still occur, Aviatrix Zero Trust CNSF would likely limit the attacker's ability to escalate privileges or move laterally within the network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to access critical systems, thereby reducing the scope of privilege escalation.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's ability to move laterally, thereby reducing the reach of the attack.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to maintain persistent command and control channels, thereby reducing the duration of the attack.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data, thereby reducing data loss.
While initial compromise may still occur, Aviatrix Zero Trust CNSF would likely limit the attacker's ability to propagate ransomware across the network, thereby reducing the overall impact.
Impact at a Glance
Affected Business Functions
- IT Service Management
- Remote Device Management
- Help Desk Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive credential data and unauthorized access to internal systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce strict access controls and minimize trust relationships within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts of known vulnerabilities.
- • Utilize East-West Traffic Security to monitor and control lateral movement within the network.
- • Establish Multicloud Visibility & Control to detect and respond to command and control activities.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
