CISA Adds Omnissa Workspace ONE, SolarWinds Web Help Desk, and Ivanti EPM Flaws to KEV Catalog
CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation: CVE-2021-22054 (Omnissa Workspace ONE UEM / formerly VMware Workspace ONE UEM, SSRF), CVE-2025-26399 (SolarWinds Web Help Desk, deserialization of untrusted data in AjaxProxy enabling command execution), and CVE-2026-1603 (Ivanti Endpoint Manager (EPM), authentication bypass). CISA reiterated that KEV-listed issues are common intrusion vectors and that Federal Civilian Executive Branch (FCEB) agencies must remediate per BOD 22-01 deadlines, while strongly urging all organizations to prioritize patching/mitigation of KEV entries as part of vulnerability management.
CISA’s public KEV data repository was updated to reflect the 2026-03-09 catalog release, increasing the catalog count and adding records for the newly listed CVEs, including short descriptions, required actions, and remediation due dates (e.g., 2026-03-23 for CVE-2021-22054 and 2026-03-12 for CVE-2025-26399). Separate reporting about CISA warning on exploited Apple vulnerabilities (macOS/iOS/iPadOS/Safari) describes a different set of CVEs and does not align with the KEV additions in this alert.
Timeline
Mar 9, 2026
CISA sets expedited remediation deadlines for federal agencies
Under BOD 22-01, CISA required FCEB agencies to remediate the SolarWinds flaw by 2026-03-12 and the Ivanti and Workspace ONE flaws by 2026-03-23. Reporting characterized the timelines as accelerated due to active exploitation.
Mar 9, 2026
CISA adds three actively exploited flaws to the KEV catalog
On 2026-03-09, CISA added CVE-2021-22054 (Omnissa Workspace ONE UEM), CVE-2025-26399 (SolarWinds Web Help Desk), and CVE-2026-1603 (Ivanti Endpoint Manager) to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The update increased the KEV total from 1,536 to 1,539 entries.
Feb 15, 2026
Reports say Ivanti EPM flaw has been weaponized since mid-February
SC Media reported that threat actors had been weaponizing Ivanti Endpoint Manager flaw CVE-2026-1603 since mid-February 2026. Other coverage also cited observed exploitation attempts, though Ivanti said it was not aware of customer exploitation.
Sep 1, 2025
Trend Micro ZDI reports SolarWinds Web Help Desk flaw CVE-2025-26399
Trend Micro's Zero Day Initiative initially reported CVE-2025-26399 in SolarWinds Web Help Desk in September 2025. Later reporting described it as another patch attempt for an underlying deserialization weakness previously tracked in 2024.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
2 more from sources like cisa advisories and cisa kev data commits
Related Stories
CISA Adds Actively Exploited Vulnerabilities to the Known Exploited Vulnerabilities Catalog
CISA updated its **Known Exploited Vulnerabilities (KEV) Catalog** after identifying evidence of **active exploitation in the wild**, reinforcing that organizations should prioritize remediation under **BOD 22-01** timelines (for FCEB agencies) and as a broader risk-reduction measure for all enterprises. One update added **CVE-2025-68613** affecting *n8n*, described as an **improper control of dynamically-managed code resources** issue, and CISA emphasized that KEV entries represent vulnerabilities being leveraged by threat actors. Separate KEV-related reporting described additional catalog additions tied to active exploitation, including **CVE-2026-1603** (*Ivanti Endpoint Manager*) described as an **authentication bypass** with potential exposure of credential data (fixed in *EPM 2024 SU5*), **CVE-2025-26399** (*SolarWinds Web Help Desk*) described as a **critical deserialization/RCE** issue in `AjaxProxy` (fixed in *WHD 12.8.7 HF1*), and **CVE-2021-22054** (*Omnissa/VMware Workspace ONE*) described as an **SSRF**. Additional coverage also highlighted CISA’s KEV addition of multiple **Apple** vulnerabilities—**CVE-2023-43000**, **CVE-2023-41974** (both **use-after-free**), and **CVE-2021-30952** (**integer overflow**)—impacting macOS/iOS/iPadOS and related platforms, with exploitation reported as active and patching urged to reduce risk of arbitrary code execution and elevated privileges.
Yesterday
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
1 months ago
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
1 months ago