CISA Flags SolarWinds, Ivanti, and Omnissa Flaws as Actively Exploited
CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalogue on 9 March 2026, confirming active exploitation in the wild for all three. Two carry patch deadlines this month. Here is what each one is and why it warrants attention.
CVE-2025-26399 - SolarWinds Web Help Desk (CVSS 9.8)
A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk allows an unauthenticated remote attacker to execute commands on the host machine. The severity score of 9.8 reflects the combination of no authentication required and full remote code execution.
Microsoft and Huntress have both reported active exploitation of this flaw for initial access. The activity has been attributed to the Warlock ransomware crew. Federal agencies have been given a patch deadline of 12 March 2026.
Deserialization vulnerabilities of this class are consistently among the most dangerous in enterprise software - they turn the server's own deserialisation logic into an execution pathway. SolarWinds has had a difficult few years on the security front, and this is another high-severity entry on that list. If you or your clients are running SolarWinds Web Help Desk, this is a same-day patch.
CVE-2026-1603 - Ivanti Endpoint Manager (CVSS 8.6)
An authentication bypass vulnerability in Ivanti Endpoint Manager allows a remote unauthenticated attacker to leak specific stored credential data. Ivanti has not yet published details on how this flaw is being exploited in the wild, but CISA's addition to the KEV catalogue confirms it is happening. The patch deadline for federal agencies is 23 March 2026.
Ivanti has been a recurring target over the past eighteen months, with multiple high-severity vulnerabilities across its product lines - several of which were exploited as zero-days before patches were available. CVE-2026-1603 appears to have been patched before exploitation was confirmed, but given Ivanti's recent track record, treating it as urgent is the correct posture.
CVE-2021-22054 - Omnissa Workspace One UEM (CVSS 7.5)
A server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) allows an attacker with network access to the UEM server to send unauthenticated requests and access sensitive data. This vulnerability dates from 2021 and was first flagged by GreyNoise in March 2025 as part of a coordinated campaign exploiting multiple SSRF vulnerabilities simultaneously. Its addition to the KEV catalogue now confirms continued active exploitation. The patch deadline for federal agencies is 23 March 2026.
The age of this CVE is worth noting. A five-year-old SSRF vulnerability being actively exploited in 2026 is a reminder that threat actors routinely return to older, well-understood vulnerabilities, particularly against targets that have deferred patching. If your environment includes any Omnissa or legacy VMware Workspace One UEM installations, this should be on your patching list regardless of the KEV deadline.
What to do
If you manage infrastructure that includes any of these products, apply the available patches without delay. For organisations subject to CISA's binding operational directives, the SolarWinds deadline is this Thursday. For everyone else, the KEV catalogue's addition of a vulnerability is a reliable signal that exploitation is real, active, and not limited to government targets.
More broadly, these three additions follow a consistent pattern: enterprise software with large install bases, vulnerabilities that provide either remote code execution or credential access, and exploitation activity that preceded public confirmation. The case for automated vulnerability scanning in your pipeline and maintaining an accurate inventory of the software running in your environment has rarely been stronger.