INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

SolarWinds EPM and Ivanti Workspace One Exploited Vulnerabilities

| 2026-03-10 09:52 CRITICAL HIGH
JSON
Executive Summary AI-generated
The US Agency has ordered federal agencies to fix the SolarWinds flaw CVE-2025-26399 by March 12, 2026. This critical vulnerability affects various software products including Ivanti EPM, SolarWinds Web Help Desk, and Omnissa Workspace One Server-Side Request Forgery. The flaws were disclosed in February 2026 after a patch was released for more than a dozen vulnerabilities in Endpoint Manager that included the aforementioned flaw. The US Cybersecurity and Infrastructure Security Agency (CISA) has added these flaws to its Known Exploited Vulnerabilities catalog, prompting federal agencies to take immediate action to address the vulnerabilities by March 23, 2026.
Technical Mitigations AI-generated
* Implement a secure patching strategy for vulnerable systems, including hot fixes and software updates to address known exploits. * Conduct regular security audits and vulnerability assessments of all systems and applications to identify potential weaknesses before they can be exploited. * Educate users on the importance of keeping software up-to-date with the latest patches and updates, and provide training on how to properly use and configure affected systems. * Implement a robust incident response plan that includes procedures for responding to security incidents, such as identifying and containing breaches, and notifying relevant stakeholders.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-1603CVE-2026-1603 CVE-2021-22054CVE-2021-22054 CVE-2025-26399CVE-2025-26399
Target & Sectors
Global Scope
Incident Timeline
March 2025
The CVE-2021-22054 vulnerability was identified by GreyNoise in March 2025 and is being added to the U.S. CISA's Known Exploited Vulnerabilities catalog.
vulnerability CVE-2021-22054
CVE-2021-22054, on the other hand, was flagged by GreyNoise in March 2025 as being exploited in conjunction with several other SSRF vulnerabilities in other products as part of a coordinated campaign.
organisation GreyNoise
CVE-2021-22054, on the other hand, was flagged by GreyNoise in March 2025 as being exploited in conjunction with several other SSRF vulnerabilities in other products as part of a coordinated campaign.
September 2025
SolarWinds released hot fixes in September 2025 to address the Ivanti Endpoint Manager authentication bypass vulnerability.
organisation SolarWinds
In September 2025, SolarWinds released hot fixes to address this critical flaw.
infrastructure Ivanti
The last issue added to the KeV catalog is an Ivanti Endpoint Manager (EPM) authentication bypass vulnerability tracked as CVE-2026-1603 .
organisation KeV
The last issue added to the KeV catalog is an Ivanti Endpoint Manager (EPM) authentication bypass vulnerability tracked as CVE-2026-1603 .
organisation Ivanti Endpoint
The last issue added to the KeV catalog is an Ivanti Endpoint Manager (EPM) authentication bypass vulnerability tracked as CVE-2026-1603 .
organisation Deserialization of Untrusted Data
Deserialization of Untrusted Data is a high-severity vulnerability where an application reconstructs objects from data received from untrusted sources, without verifying integrity or validity.
October 2025
Threat actors used Ivanti Endpoint Manager to exploit a flaw in the catalog that allows remote unauthenticated access to leak specific stored credential data.
organisation Ivanti
In February, Ivanti released patches for more than a dozen vulnerabilities in Endpoint Manager, including flaws disclosed in October 2025.
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
organisation Endpoint
In February, Ivanti released patches for more than a dozen vulnerabilities in Endpoint Manager, including flaws disclosed in October 2025.
Mar 10, 2026
Threat actors used Ivanti EPM vulnerabilities to target SolarWinds systems.
2026-03-10
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security flaws to its Known Exploited Vulnerabilities catalog: SolarWinds Web Help Desk, Ivanti EPM, and Omnissa Workspace One vulnerabilities.
infrastructure Ivanti
Below are the flaws added to the catalog: CVE-2021-22054  (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery CVE-2025-26399  (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2026-1603  (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054 , in VMware Workspace ONE UEM console.
U.S. CISA adds Ivanti EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds Ivanti EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog.
An authentication bypass using an alternate path or channel vulnerability in Ivanti Endpoint Manager that could allow a remote unauthenticated attacker to leak specific stored credential data.
As of writing, Ivanti's security bulletin has not been updated to reflect the exploitation status.
organisation CVSS
Below are the flaws added to the catalog: CVE-2021-22054  (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery CVE-2025-26399  (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2026-1603  (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054 , in VMware Workspace ONE UEM console.
organisation Untrusted Data Vulnerability CVE-2026
Below are the flaws added to the catalog: CVE-2021-22054  (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery CVE-2025-26399  (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2026-1603  (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054 , in VMware Workspace ONE UEM console.
organisation EPM
Below are the flaws added to the catalog: CVE-2021-22054  (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery CVE-2025-26399  (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2026-1603  (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054 , in VMware Workspace ONE UEM console.
organisation VMware Workspace
Below are the flaws added to the catalog: CVE-2021-22054  (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery CVE-2025-26399  (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2026-1603  (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054 , in VMware Workspace ONE UEM console.
organisation UEM
Below are the flaws added to the catalog: CVE-2021-22054  (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery CVE-2025-26399  (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2026-1603  (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054 , in VMware Workspace ONE UEM console.
A server-side request forgery ( SSRF ) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that could allow a malicious actor with network access to UEM to send requests without authentication and to gain access to sensitive information.
organisation CVE-2025-26399
CVE-2025-26399 (CVSS score: 9.8) -
organisation Microsoft
The addition of CVE-2025-26399 comes in the wake of reports from Microsoft and Huntress that threat actors are exploiting security flaws in SolarWinds Web Help Desk to obtain initial access.
organisation Huntress
The addition of CVE-2025-26399 comes in the wake of reports from Microsoft and Huntress that threat actors are exploiting security flaws in SolarWinds Web Help Desk to obtain initial access.
organisation Ivanti Endpoint
An authentication bypass using an alternate path or channel vulnerability in Ivanti Endpoint Manager that could allow a remote unauthenticated attacker to leak specific stored credential data.
organisation CVE-2026-1603
CVE-2026-1603 (CVSS score: 8.6) -
organisation Omnissa Workspace One
A server-side request forgery ( SSRF ) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that could allow a malicious actor with network access to UEM to send requests without authentication and to gain access to sensitive information.
organisation SolarWinds
A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk that could allow an attacker to run commands on the host machine.
organisation AjaxProxy
A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk that could allow an attacker to run commands on the host machine.
March 12, 2026
The US Agency ordered federal agencies to apply a fix for the SolarWinds Web Help Desk vulnerability CVE-2025-26399 by March 12, 2026.
source_region United States
The US Agency orders federal agencies to fix the SolarWinds flaw CVE-2025-26399 by March 12, 2026.
attribution CVE-2025-26399
The US Agency orders federal agencies to fix the SolarWinds flaw CVE-2025-26399 by March 12, 2026.
attribution The US Agency
The US Agency orders federal agencies to fix the SolarWinds flaw CVE-2025-26399 by March 12, 2026.
attribution FCEB
To counter the risk posed by active threats, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fix for SolarWinds Web Help Desk by March 12, 2026, and the remaining two by March 23, 2026.
attribution Federal Civilian Executive Branch
To counter the risk posed by active threats, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fix for SolarWinds Web Help Desk by March 12, 2026, and the remaining two by March 23, 2026.
March 23, 2026
The U.S. CISA adds Ivanti EPM, SolarWinds and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog.
attribution FCEB
To counter the risk posed by active threats, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fix for SolarWinds Web Help Desk by March 12, 2026, and the remaining two by March 23, 2026.
attribution Federal Civilian Executive Branch
To counter the risk posed by active threats, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fix for SolarWinds Web Help Desk by March 12, 2026, and the remaining two by March 23, 2026.
vulnerability CVE-2021-22054
CISA orders federal agencies to fix the vulnerabilities CVE-2026-1603 and CVE-2021-22054 by March 23, 2026.
vulnerability CVE-2026-1603
CISA orders federal agencies to fix the vulnerabilities CVE-2026-1603 and CVE-2021-22054 by March 23, 2026.
Tactical Metrics
Metrics
infrastructure
​Ivanti
Affected Product
U.S. CISA adds Ivanti EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds Ivanti EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog.
Below are the flaws added to the catalog: CVE-2021-22054  (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery CVE-2025-26399  (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2026-1603  (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054 , in VMware Workspace ONE UEM console.
The last issue added to the KeV catalog is an Ivanti Endpoint Manager (EPM) authentication bypass vulnerability tracked as CVE-2026-1603 .
In February, Ivanti released patches for more than a dozen vulnerabilities in Endpoint Manager, including flaws disclosed in October 2025.
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited.
An authentication bypass using an alternate path or channel vulnerability in Ivanti Endpoint Manager that could allow a remote unauthenticated attacker to leak specific stored credential data.
As of writing, Ivanti's security bulletin has not been updated to reflect the exploitation status.
Intelligence Sources
The Hacker News 2026-03-10
Security Affairs 2026-03-10