CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation: CVE-2021-22054 (Omnissa Workspace ONE UEM / formerly VMware Workspace ONE UEM, SSRF), CVE-2025-26399 (SolarWinds Web Help Desk, deserialization of untrusted data in AjaxProxy enabling command execution), and CVE-2026-1603 (Ivanti Endpoint Manager (EPM), authentication bypass). CISA reiterated that KEV-listed issues are common intrusion vectors and that Federal Civilian Executive Branch (FCEB) agencies must remediate per BOD 22-01 deadlines, while strongly urging all organizations to prioritize patching/mitigation of KEV entries as part of vulnerability management.
CISA’s public KEV data repository was updated to reflect the 2026-03-09 catalog release, increasing the catalog count and adding records for the newly listed CVEs, including short descriptions, required actions, and remediation due dates (e.g., 2026-03-23 for CVE-2021-22054 and 2026-03-12 for CVE-2025-26399). Separate reporting about CISA warning on exploited Apple vulnerabilities (macOS/iOS/iPadOS/Safari) describes a different set of CVEs and does not align with the KEV additions in this alert.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Under BOD 22-01, CISA required FCEB agencies to remediate the SolarWinds flaw by 2026-03-12 and the Ivanti and Workspace ONE flaws by 2026-03-23. Reporting characterized the timelines as accelerated due to active exploitation.
On 2026-03-09, CISA added CVE-2021-22054 (Omnissa Workspace ONE UEM), CVE-2025-26399 (SolarWinds Web Help Desk), and CVE-2026-1603 (Ivanti Endpoint Manager) to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The update increased the KEV total from 1,536 to 1,539 entries.
SC Media reported that threat actors had been weaponizing Ivanti Endpoint Manager flaw CVE-2026-1603 since mid-February 2026. Other coverage also cited observed exploitation attempts, though Ivanti said it was not aware of customer exploitation.
Trend Micro's Zero Day Initiative initially reported CVE-2025-26399 in SolarWinds Web Help Desk in September 2025. Later reporting described it as another patch attempt for an underlying deserialization weakness previously tracked in 2024.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecsoonline.com
Open sourcesecurityaffairs.com
Open sourcethehackernews.com
Open sourcethecyberthrone.in
Open sourcecisa.gov
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.