U.S. CISA adds Ivanti EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog

3 Min Read

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Rockwell, and Hikvision flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

  • CVE-2021-22054 (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery
  • CVE-2025-26399 (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
  • CVE-2026-1603 (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability

The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054, in VMware Workspace ONE UEM console. The vulnerability allows attackers with network access to send unauthenticated requests. By exploiting the vulnerability, a malicious actor could access internal resources and potentially expose sensitive information.


What do you think? Post a comment.


The second flaw added to the catalog is a deserialization of untrusted data vulnerability tracked as CVE-2025-26399. In September 2025, SolarWinds released hot fixes to address this critical flaw. An attacker could exploit the flaw to execute arbitrary commands on susceptible systems.

- Advertisement -

EXPLORE MORE

Missing Juvenile Lilliana Osuna from the 25th District

The Philadelphia Police Department is requesting the public’s assistance in locating 15-year-old…

Endangered Missing Person Maurice Washington from the 14th District Has Been Located

Endangered Missing Person Maurice Washington from the 14th District Has Been Located…

14 state attorneys general ask EPA to monitor abortion pills contaminating water supply

(LifeSiteNews) – The attorneys general of 14 states wrote to the U.S.…

YouTuber Jesse Ridgway mocked Down syndrome in old video, says he can’t go to hell as an atheist

(LifeSiteNews) — YouTuber Jesse Ridgway continues to make inflammatory comments in the…

Israeli journalist predicts war with Egypt within 15 years

(LifeSiteNews) — During the Jewish News Syndicate (JNS) International Policy Summit held in…

Missing Juvenile Cordae Watson from the 15th District Has Been Located

Missing Juvenile Cordae Watson from the 15th District Has Been Located |…

Deserialization of Untrusted Data is a high-severity vulnerability where an application reconstructs objects from data received from untrusted sources, without verifying integrity or validity. Attackers can craft malicious serialized objects that, when deserialized, abuse the logic of the application to execute code, access sensitive data, escalate privileges, or manipulate system processes. 

The last issue added to the KeV catalog is an Ivanti Endpoint Manager (EPM) authentication bypass vulnerability tracked as CVE-2026-1603.

In February, Ivanti released patches for more than a dozen vulnerabilities in Endpoint Manager, including flaws disclosed in October 2025. The update addresses the flaw CVE-2026-1603 that attackers could exploit remotely without credentials to access and steal sensitive login information.

An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data. 

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities CVE-2026-1603 and CVE-2021-22054 by March 23, 2026. The US Agency orders federal agencies to fix the SolarWinds flaw CVE-2025-26399 by March 12, 2026.

Pierluigi Paganini



Share This Article

CONVERSATION

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted