CISA Warns of Active Exploitation of Critical Enterprise Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about three critical vulnerabilities that are currently being exploited in the wild, adding them to its Known Exploited Vulnerabilities (KEV) catalog. The affected products span major enterprise software providers including SolarWinds, Ivanti, and VMware (now Omnissa), highlighting the ongoing threat to critical infrastructure and federal systems.

The Three Actively Exploited Vulnerabilities

CVE-2025-26399: SolarWinds Web Help Desk Deserialization Flaw

With a critical CVSS score of 9.8, this vulnerability in the AjaxProxy component of SolarWinds Web Help Desk allows attackers to execute arbitrary commands on the host machine through deserialization of untrusted data. Microsoft and Huntress researchers have observed threat actors actively exploiting this flaw to gain initial access to systems.

The activity has been attributed to the Warlock ransomware group, demonstrating how unpatched vulnerabilities can serve as entry points for sophisticated ransomware operations. Organizations using SolarWinds Web Help Desk versions prior to the patched release should treat this as an immediate priority.

CVE-2021-22054: VMware Workspace One UEM SSRF Vulnerability

This server-side request forgery (SSRF) vulnerability, carrying a CVSS score of 7.5, affects Omnissa Workspace One UEM (formerly VMware Workspace One UEM). The flaw allows malicious actors with network access to send requests without authentication, potentially exposing sensitive information.

GreyNoise flagged this vulnerability in March 2025 as being exploited alongside several other SSRF vulnerabilities across different products in what appears to be a coordinated campaign. SSRF vulnerabilities are particularly dangerous because they can bypass network security controls and access internal resources that would otherwise be protected.

CVE-2026-1603: Ivanti Endpoint Manager Authentication Bypass

This authentication bypass vulnerability in Ivanti Endpoint Manager has a CVSS score of 8.6 and could allow remote unauthenticated attackers to leak specific stored credential data. The exploitation method remains unclear, as Ivanti's security bulletin has not yet been updated to reflect the active exploitation status.

Authentication bypass vulnerabilities are especially concerning because they can provide attackers with privileged access without requiring valid credentials, potentially leading to lateral movement and data exfiltration.

Federal Agency Response Timeline

CISA has mandated strict deadlines for Federal Civilian Executive Branch (FCEB) agencies to address these vulnerabilities:

• SolarWinds Web Help Desk (CVE-2025-26399): Patch by March 12, 2026
• Ivanti Endpoint Manager (CVE-2026-1603) and VMware Workspace One UEM (CVE-2021-22054): Patch by March 23, 2026

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA stated in its announcement.

The Broader Context of Enterprise Vulnerability Exploitation

This warning comes amid a concerning trend of sophisticated threat actors targeting enterprise software vulnerabilities. The Warlock ransomware group's exploitation of the SolarWinds flaw demonstrates how initial access vulnerabilities can lead to devastating ransomware attacks.

The coordinated exploitation of SSRF vulnerabilities across multiple products, as seen with CVE-2021-22054, suggests organized campaigns targeting specific enterprise environments. This pattern indicates that threat actors are conducting systematic vulnerability research and developing exploit chains across different software platforms.

Mitigation and Protection Strategies

Organizations should immediately:

1. Verify patch availability for all affected products and apply updates according to CISA's timeline
2. Implement network segmentation to limit the potential impact of compromised systems
3. Monitor for suspicious activity related to these vulnerabilities, particularly unusual network requests or authentication attempts
4. Review access controls and ensure that only necessary services are exposed to the network
5. Consider temporary mitigations if patches cannot be applied immediately, such as disabling affected components or implementing additional authentication requirements

For SolarWinds Web Help Desk specifically, organizations should be aware that the Warlock ransomware group has been observed exploiting this vulnerability, making rapid patching essential to prevent ransomware infections.

The Importance of the KEV Catalog

CISA's Known Exploited Vulnerabilities catalog serves as a critical resource for organizations to prioritize their vulnerability management efforts. By focusing on vulnerabilities with evidence of active exploitation, the KEV catalog helps security teams allocate resources to address the most pressing threats rather than attempting to patch every vulnerability simultaneously.

The addition of these three vulnerabilities underscores the ongoing challenge of securing enterprise software and the importance of maintaining current patch management programs. As threat actors continue to develop sophisticated exploitation techniques, organizations must remain vigilant and responsive to emerging threats.

Looking Forward

The exploitation of enterprise software vulnerabilities represents a significant and persistent threat to organizational security. As demonstrated by these three cases, vulnerabilities in widely-deployed enterprise products can have far-reaching consequences when exploited by sophisticated threat actors.

Organizations should view this warning as a reminder to maintain robust vulnerability management programs, implement defense-in-depth strategies, and stay informed about emerging threats through resources like CISA's KEV catalog. The cost of prevention through timely patching is invariably lower than the cost of responding to a successful exploitation attempt.

The federal government's response to these vulnerabilities, with specific deadlines and enforcement mechanisms, highlights the critical nature of these threats and the importance of coordinated action in addressing them. Private sector organizations should take similar urgency in addressing these vulnerabilities, particularly given the ransomware threat posed by the Warlock group's exploitation of the SolarWinds flaw.