Three KEV failures force already to park according to CISA

The US cyber security agency CISA turned the alarms on again this week by including three serious failures in its catalogue of Known Exploited Vulnerabilities (KEV), a record that collects vulnerabilities with evidence of active exploitation. These are not mere recommendations: when CISA moves an entry into the KEV, it usually carries immediate obligations for federal agencies and, in practice, they set priorities for security teams around the world. The official alert is available on the CISA site ( see communication).

The three added failures are different in nature, but they share something disturbing: they all allow an attacker to skip normal barriers and reach resources or execute code with a considerable impact. The first, registered as CVE-2021-22054(CVSS 7.5), is a SSRF vulnerability in Omnissa Workspace One EMU - the platform that was previously VMware Workspace One EMU -. In simple terms, an SSRF (Server- Side Request Forgery) allows an attacker to induce the server to make requests to destinations that would normally not be accessible from outside, with the possibility of accessing sensitive data or internal resources. Technical research, such as the one published by Assetnote, describe how this failure can be exploited without authentication and how it fits into wider campaigns.

The second vulnerability, CVE-2025-26399(CVSS 9.8), affects the AjaxProxy component of SolarWinds Web Help Desk. This is a deerialization of unreliable data, a type of failure that often allows an attacker to send manipulated data that, when deerialized on the server, cause the execution of commands. CISA points out that this vector has been used to obtain initial access to target environments, an activity that, according to reports collected by the agency, is linked to operations of the Ransomware group known as Warlock.

The third entry is CVE-2026-1603(CVSS 8.6), a vulnerability in Ivanti Endpoint Manager that allows to avoid authentication through alternative routes or channels and potentially to extract stored credentials. No solid public details on mass exploitation techniques for this vulnerability have been published at present; Ivanti maintains a safety bulletin on EPM which, according to the information available, does not yet fully reflect its operating status.

The decision to include these faults in the KEV is not purely descriptive: it is accompanied by specific time limits for action. CISA demanded the federal civil executive agencies to correct the SolarWinds Web Help Desk failure before March 12, 2026, and to apply the remaining remedies - the SSRF in Workspace One and the Ivanti failure - before March 23, 2026. These dates highlight the urgency: when a vulnerability is exploited in nature, the exposure window can close very quickly for those who park and open dangerously for those who do not.

Why does this matter outside the federal perimeter? Because many of the technologies affected are present in companies and suppliers, and the observed attack patterns are often replicated in the private sector. The combination of non-authenticated SSRF, deerialization failures and authentication bypass creates a chain of risks that can lead from the filtration of internal secrets to the remote execution and subsequent implantation of ansomware. CISA summarizes this by highlighting that these types of vulnerabilities are common vectors for malicious actors and represent a real danger to the "federal company," but logic applies equally to any organization with similar exposure.

From a practical perspective, the immediate response is to apply official patches and follow the supplier's recommendations. For Workspace One EMU there are technical documentation and safety notices published by the manufacturer and by researchers who demonstrated operating techniques; mitigation guides often include updating to parched versions and reviewing configurations that should not expose external management interfaces. In the case of SolarWinds Web Help Desk, given the high CVSS and the confirmation of active operation, rapid action is especially critical. And for Ivanti, in addition to monitoring the official newsletter, it is appropriate to limit access to the service from unreliable networks and to audit the use of stored credentials.

Beyond the patching, organizations must strengthen compensatory controls: network segmentation to limit the ability of a committed service to pivote to other assets, records and telemetry that allow for the detection of unusual behaviour linked to SSRF or remote execution, and response plans that prioritize exposed assets. The accumulated experience shows that in many initial intrusions the attacker takes advantage of a single public failure to install back doors or move laterally; to interrupt that flow reduces the potential damage.

If you want to consult the primary sources about these entries and the CISA evaluation, you can check the agency's own alert at your site, the KEV catalogue in this page and the relevant CVE chips: CVE-2021-22054, CVE-2025-26399 and CVE-2026-1603. To deepen technical research on SSRF in Workspace One EMU, the work of Assetnote is a recommended reading, and the supplier's notes on patches and mitigations are available on their respective channels.

The conclusion for any security officer is simple and uncomfortable: when a vulnerability appears in the KEV, it is not a theoretical matter. It requires prioritizing patches, reviewing exposed accesses and preparing for detection. The threat moves fast and, if not responded to with the same speed, the impact can be severe.