The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three critical security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following confirmed evidence of active exploitation by malicious actors. This proactive measure mandates federal agencies to patch these vulnerabilities to mitigate significant risks to the federal enterprise.
The newly listed flaws include a severe deserialization vulnerability in SolarWinds Web Help Desk (CVE-2025-26399), a server-side request forgery (SSRF) in VMware Workspace One UEM (CVE-2021-22054), and an authentication bypass in Ivanti Endpoint Manager (CVE-2026-1603). The inclusion of these vulnerabilities underscores the dynamic threat landscape and the agency’s commitment to protecting national infrastructure from cyber threats.
CISA Adds Exploited Vulnerabilities to KEV Catalog
CISA’s decision to include these specific vulnerabilities stems from observable campaigns where threat actors are actively leveraging their weaknesses. The KEV catalog serves as a critical resource for organizations, prioritizing patching efforts based on real-world exploitation risks. By mandating remediation for federal agencies, CISA aims to prevent further compromise and potential data breaches.
Among the newly cataloged vulnerabilities is CVE-2025-26399, a deserialization of untrusted data flaw within the AjaxProxy component of SolarWinds Web Help Desk. This vulnerability carries a high CVSS score of 9.8, indicating its severity. Reports from Microsoft and Huntress have detailed how threat actors, reportedly the Warlock ransomware crew, are exploiting this flaw to gain initial access into victim networks. This highlights the immediate danger posed by this specific SolarWinds vulnerability.
Meanwhile, CVE-2021-22054, a server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM, has also been added. With a CVSS score of 7.5, this flaw allows attackers with network access to send unauthenticated requests, potentially leading to the exposure of sensitive information. GreyNoise detected exploitation of this vulnerability in March 2025, noting its use in conjunction with other SSRF flaws in a coordinated campaign.
The third vulnerability, CVE-2026-1603, involves an authentication bypass using an alternate path or channel in Ivanti Endpoint Manager. This vulnerability, rated at 8.6 on the CVSS scale, could enable remote, unauthenticated attackers to leak stored credential data. Details regarding the specific methods of weaponization for this Ivanti vulnerability are still emerging. As of the latest information, Ivanti’s official security bulletin has not yet been updated to confirm its exploitation status in the wild.
Mandatory Patching Deadlines for Federal Agencies
In response to the identified threats, CISA has issued a directive to Federal Civilian Executive Branch (FCEB) agencies. These agencies are now required to implement the necessary patches for the identified vulnerabilities by specific deadlines. For the SolarWinds Web Help Desk vulnerability (CVE-2025-26399), the deadline for remediation is March 12, 2026. The remaining two vulnerabilities, CVE-2021-22054 and CVE-2026-1603, must be addressed by March 23, 2026.
CISA emphasized that these types of vulnerabilities consistently serve as frequent attack vectors for malicious cyber actors, posing considerable risks to the federal enterprise. The proactive inclusion of these flaws in the KEV catalog and the subsequent mandatory patching orders are key components of the agency’s strategy to bolster cybersecurity defenses against evolving threats.
The addition of these vulnerabilities and the subsequent mandates underscore the ongoing need for vigilant security practices and timely patching across all sectors, particularly within critical infrastructure and government systems. Organizations outside the federal sector are also strongly advised to assess their exposure to these vulnerabilities and apply appropriate security updates to protect their environments.