Photo by The Hacker News on The Hacker News
What happened
CISA added three vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog on March 9, 2026, citing evidence of active exploitation:
- CVE-2025-26399 — SolarWinds Web Help Desk deserialization issue (AjaxProxy), potential remote command execution.
- CVE-2026-1603 — Ivanti Endpoint Manager authentication bypass that can expose stored credential data.
- CVE-2021-22054 — Omnissa (VMware) Workspace ONE UEM SSRF issue that can expose sensitive information.
CISA assigned near-term due dates for U.S. federal civilian agencies, with the SolarWinds fix due first.
Why this matters
- KEV additions are a strong signal that attackers are using these bugs in real-world operations.
- The affected products are commonly deployed in enterprise IT management paths.
- Vulnerabilities tied to management systems can become force multipliers for later movement inside a network.
What defenders should do now
- Prioritize patching for all three CVEs in vulnerability queues.
- Audit exposure paths for internet-facing or externally reachable management interfaces.
- Review logs for suspicious admin actions, unusual request patterns, and authentication anomalies.
- Segment and restrict access to management tooling to limit blast radius.
- Track CISA KEV updates daily and align remediation SLAs to active exploitation status.
Bottom line
This is a practical, short-deadline patching event. If your environment uses SolarWinds Web Help Desk, Ivanti EPM, or Workspace ONE UEM, treat these CVEs as active-risk items and move them to the front of the queue.