CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three actively exploited vulnerabilities affecting Omnissa Workspace ONE, SolarWinds Web Help Desk, and Ivanti Endpoint Manager to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to apply patches immediately to mitigate the risk of compromise.
Authors: CISA
Source:
CISA
Key Takeaways
- CISA has added three new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation.
- The affected products are Omnissa Workspace ONE, SolarWinds Web Help Desk, and Ivanti Endpoint Manager (EPM).
- Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities by a specified due date under BOD 22-01.
- All organizations are strongly urged to prioritize the timely remediation of these vulnerabilities to reduce cyberattack exposure.
Affected Systems
- Omnissa Workspace ONE
- SolarWinds Web Help Desk
- Ivanti Endpoint Manager (EPM)
Vulnerabilities (CVEs)
- CVE-2021-22054
- CVE-2025-26399
- CVE-2026-1603
Attack Chain
Malicious cyber actors are actively exploiting vulnerabilities in Omnissa Workspace ONE (Server-Side Request Forgery), SolarWinds Web Help Desk (Deserialization of Untrusted Data), and Ivanti Endpoint Manager (Authentication Bypass) to compromise targeted networks. Specific attack chains, payloads, and post-exploitation activities are not detailed in the CISA alert.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: Low — The alert focuses on vulnerability announcements rather than specific post-exploitation TTPs or malware payloads that EDR would typically detect. Network Visibility: Medium — Exploitation of SSRF, deserialization, and authentication bypass vulnerabilities often generates anomalous network traffic patterns or unusual HTTP requests. Detection Difficulty: Hard — Without specific indicators of compromise (IOCs) or payload details, detecting the exact exploit attempts requires generic anomaly detection or vendor-specific vulnerability signatures.
Required Log Sources
- Web Application Firewall (WAF) logs
- Application access logs
- Network traffic logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Threat actors may be attempting to exploit the SSRF vulnerability in Omnissa Workspace ONE by sending crafted requests that force the server to initiate anomalous outbound or internal connections. | Network traffic logs, Application access logs | Initial Access | Medium |
| Threat actors may be exploiting the Ivanti EPM Authentication Bypass to access administrative interfaces or endpoints without valid credentials. | Authentication logs, Application access logs | Initial Access | Low |
Control Gaps
- Unpatched public-facing applications
- Lack of network segmentation for management interfaces
Key Behavioral Indicators
- Unexpected child processes spawned by web server processes (SolarWinds, Ivanti, Omnissa)
- Anomalous internal network requests originating from the Workspace ONE server (indicating SSRF)
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Apply vendor-provided patches or mitigations for CVE-2021-22054, CVE-2025-26399, and CVE-2026-1603 immediately.
Infrastructure Hardening
- Restrict access to management interfaces for Ivanti, SolarWinds, and Omnissa applications to trusted internal networks or VPNs.
- Implement Web Application Firewalls (WAF) to filter potentially malicious requests targeting known vulnerabilities.
User Protection
- N/A
Security Awareness
- Incorporate CISA KEV catalog updates into standard vulnerability management and patching workflows to ensure timely remediation of actively exploited flaws.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application