Hackers Exploit Critical Flaws in SolarWinds and Ivanti Software

CISA Flags Three Actively Exploited Vulnerabilities in SolarWinds, Ivanti, and Workspace One

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog by adding three newly identified security flaws that are currently being used in real-world cyberattacks.

The vulnerabilities affect widely used enterprise software from SolarWinds, Ivanti, and Omnissa Workspace One, and security officials are urging organizations to apply patches immediately to reduce the risk of compromise.

CISA’s KEV catalog tracks vulnerabilities that attackers are actively exploiting, helping organizations prioritize urgent security updates.

The Newly Added Vulnerabilities

The three security issues added to the KEV list include:

1. Workspace One UEM SSRF Vulnerability

  • CVE-2021-22054
  • Severity Score: 7.5

This vulnerability affects Omnissa Workspace One UEM, previously known as VMware Workspace One UEM.

The flaw allows attackers with network access to send unauthorized requests to the system without authentication. If exploited, attackers could retrieve sensitive data from the affected server.

Security researchers previously observed this vulnerability being used alongside other similar flaws in coordinated attack campaigns.

2. SolarWinds Web Help Desk Remote Code Execution

  • CVE-2025-26399
  • Severity Score: 9.8

A critical vulnerability in the AjaxProxy component of SolarWinds Web Help Desk allows attackers to execute commands on a targeted system.

The flaw stems from the unsafe processing of untrusted data during deserialization, which could allow malicious actors to gain control of the host machine.

Security companies Microsoft and Huntress recently reported that attackers are actively exploiting weaknesses in SolarWinds Web Help Desk to gain initial access to networks.

Researchers believe the attacks may be linked to the Warlock ransomware group.

3. Ivanti Endpoint Manager Authentication Bypass

  • CVE-2026-1603
  • Severity Score: 8.6

The third vulnerability impacts Ivanti Endpoint Manager.

This flaw allows attackers to bypass authentication using an alternative access path, potentially exposing stored credential data.

Although the vulnerability is now listed in the KEV catalog, there are currently limited details about how attackers are exploiting it in real-world attacks.

Government Agencies Given Deadlines to Patch

Due to the active exploitation of these vulnerabilities, CISA has issued patching deadlines for Federal Civilian Executive Branch (FCEB) agencies.

The required mitigation schedule is:

  • SolarWinds Web Help Desk vulnerability: patch by March 12, 2026
  • Workspace One UEM and Ivanti vulnerabilities: patch by March 23, 2026

These deadlines are intended to reduce the risk of cyber intrusions targeting federal networks.

Why These Vulnerabilities Matter

Security officials warn that flaws like these are commonly used as initial access points for cyberattacks.

Once attackers gain entry through vulnerable systems, they can move deeper into a network, steal sensitive data, or deploy ransomware.

Because these vulnerabilities are already being exploited, organizations using affected software should prioritize updates and security reviews.

Final Thoughts

The addition of these flaws to CISA’s KEV catalog highlights the growing importance of rapid patch management in cybersecurity.

With attackers quickly weaponizing vulnerabilities after discovery, organizations must stay vigilant and ensure that critical systems remain fully updated.

Failure to patch widely used enterprise software can leave networks exposed to serious cyber threats.