U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Rockwell, and Hikvision flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2021-22054 (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery
- CVE-2025-26399 (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
- CVE-2026-1603 (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054, in VMware Workspace ONE UEM console. The vulnerability allows attackers with network access to send unauthenticated requests. By exploiting the vulnerability, a malicious actor could access internal resources and potentially expose sensitive information.
The second flaw added to the catalog is a deserialization of untrusted data vulnerability tracked as CVE-2025-26399. In September 2025, SolarWinds released hot fixes to address this critical flaw. An attacker could exploit the flaw to execute arbitrary commands on susceptible systems.
Deserialization of Untrusted Data is a high-severity vulnerability where an application reconstructs objects from data received from untrusted sources, without verifying integrity or validity. Attackers can craft malicious serialized objects that, when deserialized, abuse the logic of the application to execute code, access sensitive data, escalate privileges, or manipulate system processes.
The last issue added to the KeV catalog is an Ivanti Endpoint Manager (EPM) authentication bypass vulnerability tracked as CVE-2026-1603.
In February, Ivanti released patches for more than a dozen vulnerabilities in Endpoint Manager, including flaws disclosed in October 2025. The update addresses the flaw CVE-2026-1603 that attackers could exploit remotely without credentials to access and steal sensitive login information.
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities CVE-2026-1603 and CVE-2021-22054 by March 23, 2026. The US Agency orders federal agencies to fix the SolarWinds flaw CVE-2025-26399 by March 12, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
