Alerts

CISA Adds SolarWinds, Ivanti, and Workspace One Flaws to KEV Catalog — SolarWinds Linked to Warlock Ransomware Activity

Zero Day Wire

2 min read
CISA Adds SolarWinds, Ivanti, and Workspace One Flaws to KEV Catalog — SolarWinds Linked to Warlock Ransomware Activity

CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog — a critical SolarWinds deserialization flaw linked to Warlock ransomware operations, an Ivanti Endpoint Manager authentication bypass, and a long-standing Workspace One SSRF vulnerability now being weaponized in coordinated campaigns.

Federal agencies face an accelerated two-day deadline for the SolarWinds fix and standard three-week deadlines for the remaining two.

CVE-2025-26399 — SolarWinds Web Help Desk (CVSS 9.8)

A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk that allows an attacker to execute commands on the host machine.

Microsoft and Huntress have both reported threat actors exploiting this flaw for initial access, with the activity attributed to the Warlock ransomware crew. The severity of the exploitation prompted CISA to set an aggressive March 12, 2026 remediation deadline — just two days from the KEV addition.

CVE-2026-1603 — Ivanti Endpoint Manager (CVSS 8.6)

An authentication bypass vulnerability that allows a remote unauthenticated attacker to leak specific stored credential data from Ivanti Endpoint Manager.

No details on active exploitation methods have been disclosed, and Ivanti's security bulletin has not yet been updated to reflect the exploitation status. This continues the pattern of Ivanti products appearing in CISA's KEV catalog — a recurring theme throughout 2025 and into 2026.

Remediation deadline: March 23, 2026.

CVE-2021-22054 — Omnissa Workspace One UEM (CVSS 7.5)

A server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that allows an unauthenticated attacker with network access to send requests and access sensitive information.

Despite being disclosed in 2021, GreyNoise flagged active exploitation in March 2025 as part of a coordinated campaign exploiting SSRF vulnerabilities across multiple products simultaneously. Its addition to KEV now confirms the exploitation has continued into 2026.

Remediation deadline: March 23, 2026.

Defender Recommendations

  • SolarWinds Web Help Desk — patch by March 12 — the two-day deadline reflects active ransomware exploitation; treat this as emergency priority
  • Ivanti EPM — patch by March 23 — monitor for unauthorized credential access even before patching; rotate stored credentials as a precaution
  • Workspace One UEM — patch by March 23 — restrict network access to UEM management interfaces and monitor for SSRF indicators
  • Hunt for Warlock ransomware indicators — organizations running SolarWinds Web Help Desk should proactively search for signs of compromise, particularly unauthorized command execution via the AjaxProxy component
  • Audit Ivanti EPM credential stores — the authentication bypass exposes stored credentials; assess what credentials are accessible and rotate them
  • Review SSRF exposure across the environment — the coordinated SSRF campaign flagged by GreyNoise targeted multiple products; audit all internet-facing applications for SSRF vulnerabilities

Read more