CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog today, based on evidence of active exploitation
CVE-2026-1603 — Ivanti Endpoint Manager (EPM) Authentication Bypass
Tracked as CVE-2026-1603, this high-severity weakness in Ivanti Endpoint Manager is described as an authentication bypass leading to the exposure of credential data. It was resolved in EPM 2024 SU5. The vulnerability was originally reported to Ivanti in November 2024 and publicly disclosed by Trend Micro’s Zero Day Initiative. This is distinct from the EPMM zero-days disclosed in January — EPM and EPMM are separate products, and this flaw specifically allows attackers to bypass authentication and access credential stores without valid credentials.
Affected product: Ivanti Endpoint Manager (EPM) 2024 and prior
Fix: Upgrade to EPM 2024 SU5 immediately
CVE-2025-26399 — SolarWinds Web Help Desk Deserialization of Untrusted Data
CVE-2025-26399 is a deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk (WHD), rated critical with a CVSS score of 9.8. Successful exploitation allows a remote, unauthenticated adversary to achieve remote code execution on the host machine. Notably, this vulnerability bypasses the patch for CVE-2024-28988, which was itself an incomplete fix for the original vulnerability CVE-2024-28986 — making this the third iteration of the same underlying weakness, and a strong signal that organizations that patched prior SolarWinds WHD flaws may still be exposed.
Affected product: SolarWinds Web Help Desk versions prior to 12.8.7 HF1
Fix: Upgrade to WHD 12.8.7 Hotfix 1 or later
CVE-2021-22054 — Omnissa Workspace ONE Server-Side Request Forgery
CVE-2021-22054 is a Server-Side Request Forgery (SSRF) vulnerability in Omnissa Workspace ONE — a mobile device management platform formerly known as VMware Workspace ONE. The KEV listing confirms active exploitation is now occurring against this flaw, which is over four years old. Its addition to the catalog is a stark reminder that threat actors actively exploit legacy, unpatched vulnerabilities long after initial disclosure — particularly in MDM and enterprise mobility management platforms that often go overlooked in patch cycles.
Broader Context: Ivanti’s Ongoing Vulnerability Trend
Today’s addition of CVE-2026-1603 continues a sustained pattern of Ivanti products appearing in the KEV catalog. In the past six weeks alone, CISA has cataloged Ivanti vulnerabilities including CVE-2026-1281, a critical code injection flaw in Ivanti EPMM with a CVSS score of 9.8 allowing unauthenticated remote code execution, which had vendor disclosure, a CISA KEV listing, and confirmed government compromise occur on a single day in January 2026 — with the Dutch Data Protection Authority and the Council for the Judiciary among the confirmed victims.
GreyNoise analysis of the EPMM exploitation campaign found that 83% of observed exploitation traffic traces to a single IP address on bulletproof hosting infrastructure — and that several of the most widely shared IoCs for the campaign showed zero Ivanti exploitation activity, instead scanning for Oracle WebLogic. Defenders blocking only published indicators may be watching the wrong door.
What You Need to Do
Federal agencies are required to remediate all three CVEs by their respective KEV deadlines under BOD 22-01. All organizations should treat these as urgent regardless of the federal mandate.
Priority actions: patch Ivanti EPM to 2024 SU5 without delay; upgrade SolarWinds Web Help Desk to 12.8.7 HF1 or later; audit all Omnissa Workspace ONE deployments for signs of SSRF exploitation; and critically — don’t rely solely on published IoCs for Ivanti products, as current threat intelligence shows active exploitation infrastructure is absent from widely circulated indicator lists.
