The ‘Must-Patch’ List: CISA Adds Actively Exploited SolarWinds, Ivanti, and Omnissa Flaws to KEV
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding three high-stakes flaws that are currently being leveraged by malicious actors in the wild. These vulnerabilities affect critical enterprise management and help desk tools, posing a significant risk to federal networks and private organizations alike.
The three additions span across several years, highlighting how threat actors continue to find value in older unpatched systems while rapidly operationalizing new discoveries.
- Omnissa Workspace ONE: The Authentication Bypass
CVE-2021-22054 (CVSS 7.5) Formerly known as VMware Workspace ONE UEM, this Server-Side Request Forgery (SSRF) vulnerability allows an attacker with network access to the UEM server to send unauthorized requests. Because the flaw bypasses authentication, a malicious actor can gain access to sensitive internal information that would otherwise be shielded. - SolarWinds Web Help Desk: Critical Remote Execution
CVE-2025-26399 (CVSS 9.8) With a near-maximum severity score, this vulnerability in SolarWinds Web Help Desk’s “AjaxProxy” component is a top priority for security teams. It involves the deserialization of untrusted data, a dangerous flaw that can allow an attacker to run arbitrary commands directly on the host machine. In the hands of a skilled actor, this is a “skeleton key” for full server compromise. - Ivanti Endpoint Manager (EPM): Credential Leakage
CVE-2026-1603 (CVSS 8.6) The most recent discovery on the list affects Ivanti EPM. This authentication bypass uses an alternate path or channel to allow a remote, unauthenticated attacker to leak specific stored credential data. Given that EPM is used to manage and secure vast numbers of endpoints, a credential leak here could serve as a launching pad for massive lateral movement across a network.
CISAβs KEV catalog serves as the “must-patch” list for the federal enterprise. Under Binding Operational Directive (BOD) 22-01, federal agencies are required to remediate these vulnerabilities within specific timeframes. However, CISA strongly urges all organizationsβpublic and privateβto prioritize these patches, as they are the primary targets for ransomware groups and state-sponsored APTs.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
