Based on evidence of active exploitation, the U.S This article explores vulnerability solarwinds web. . Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Monday.
The following is the vulnerability list: CVE-2021-22054 (CVSS score: 7.5). An Omnissa Workspace server-side request forgery (SSRF) vulnerability A malicious actor with network access to UEM may be able to send requests without authentication and obtain sensitive data through one UEM (formerly VMware Workspace One UEM). CVE-2025-26399 (CVSS score: 9.8) is a deserialization of untrusted data vulnerability in SolarWinds Web Help Desk's AjaxProxy component that may enable an attacker to execute commands on the host computer.
CVE-2026-1603 (CVSS score: 8.6) is a vulnerability in Ivanti Endpoint Manager that allows a remote unauthenticated attacker to obtain specific stored credential data by using an alternate path or channel. Following reports from Microsoft and Huntress that threat actors are using security holes in SolarWinds Web Help Desk to gain initial access, CVE-2025-26399 has been added. The Warlock ransomware team is thought to be responsible for the activity.
In March 2025, GreyNoise reported that CVE-2021-22054 was being exploited in conjunction with multiple other SSRF vulnerabilities in other products as part of a coordinated campaign. How CVE-2026-1603 is being used as a weapon in the wild is currently unknown.
As of this writing, the exploitation status has not been updated in Ivanti's security bulletin. Federal Civilian Executive Branch (FCEB) agencies are required to implement the SolarWinds Web Help Desk fix by March 12, 2026, and the other two by March 23, 2026, in order to mitigate the risk posed by active threats. According to CISA, "these kinds of vulnerabilities pose significant risks to the federal enterprise and are frequent attack vectors for malicious cyber actors."
