Active Exploits Detected: CISA Adds Three High-Risk Vulnerabilities to Federal KEV Catalog

Threat Summary

Category: Active Exploitation / Enterprise Infrastructure
Features: Server-Side Request Forgery (SSRF), Deserialization Exploit, Authentication Bypass
Delivery Method: Remote exploitation of exposed enterprise management platforms
Threat Actor: Mixed threat landscape including ransomware operators, cyber-criminal intrusion groups, and potential state-aligned actors

---

U.S. cybersecurity authorities have issued a new alert after identifying three vulnerabilities currently being exploited against enterprise infrastructure systems, prompting their inclusion in the federal Known Exploited Vulnerabilities (KEV) Catalog maintained by the Cybersecurity and Infrastructure Security Agency.

When vulnerabilities are added to the KEV catalog, it indicates that security researchers and federal investigators have confirmed active exploitation in the wild, meaning attackers are already targeting organizations using these weaknesses.

The latest additions affect widely deployed enterprise platforms responsible for endpoint management, mobile device administration, and IT service operations, making them attractive targets for attackers seeking broad control over internal networks.

The vulnerabilities include:

CVE-2021-22054 — Omnissa Workspace ONE Server-Side Request Forgery

This vulnerability enables attackers to manipulate server requests within Workspace ONE infrastructure. Through server-side request forgery techniques, attackers may force the system to interact with internal or external services that are normally restricted from direct access.

If successfully exploited, attackers may retrieve internal system information, access restricted services, or pivot deeper into enterprise networks. Device management platforms such as Workspace ONE are frequently integrated with identity services, making them valuable entry points for attackers.

CVE-2025-26399 — SolarWinds Web Help Desk Deserialization Vulnerability

This flaw stems from unsafe processing of serialized data within SolarWinds Web Help Desk systems. Deserialization vulnerabilities occur when a system reconstructs objects from untrusted input without validating the integrity of the data.

Attackers exploiting this weakness may achieve remote code execution on vulnerable systems, potentially gaining administrative control of help desk infrastructure. Because help desk platforms often connect to user directories, asset inventories, and administrative tools, a successful compromise may allow attackers to escalate privileges and move laterally within a network.

CVE-2026-1603 — Ivanti Endpoint Manager Authentication Bypass

The third vulnerability allows attackers to bypass authentication controls within Ivanti Endpoint Manager systems. Endpoint management platforms typically control software deployment, patch distribution, and configuration management across large networks.

If attackers exploit this authentication bypass, they may gain unauthorized administrative access to endpoint management functions. This could allow malicious actors to deploy malware across thousands of devices simultaneously or manipulate enterprise configurations.

---

Core Narrative

Enterprise management platforms have become increasingly attractive targets for attackers because they operate at the center of organizational infrastructure.

These systems manage large fleets of devices, control software updates, enforce security policies, and connect directly to authentication systems. A successful compromise can provide attackers with administrative access across entire environments.

In recent years, cybercriminal groups have increasingly targeted centralized IT platforms because a single breach can provide access to hundreds or thousands of endpoints.

Server-side request forgery vulnerabilities, such as the flaw affecting Workspace ONE, are often used as reconnaissance tools that allow attackers to probe internal network services that are normally shielded behind firewalls.

Deserialization vulnerabilities are widely regarded as particularly dangerous because they frequently allow attackers to execute arbitrary code on the affected system.

Authentication bypass vulnerabilities are also highly sought after by attackers, especially when they occur in administrative platforms responsible for endpoint control.

Because endpoint management systems can push software and configurations to large numbers of machines simultaneously, attackers who gain access to these systems can rapidly expand their reach across the network.

---

Infrastructure at Risk

Organizations most likely to be exposed to these vulnerabilities include:

• Federal government agencies
• Large corporate enterprise networks
• Managed service providers
• Health care infrastructure
• Financial institutions
• Universities and research networks
• Critical infrastructure operators

Systems running endpoint management tools, device management platforms, or IT support infrastructure should be considered high-priority targets for patching and monitoring.

---

Policy / Allied Pressure

The vulnerabilities were added to the KEV catalog under the framework of Binding Operational Directive 22-01, a federal cybersecurity mandate designed to reduce risk across government networks.

The directive requires Federal Civilian Executive Branch agencies to remediate KEV vulnerabilities by established deadlines once they are listed in the catalog.

The directive effectively turns KEV entries into mandatory patching priorities for federal agencies, ensuring that actively exploited vulnerabilities receive immediate attention.

Although the directive applies specifically to federal agencies, cybersecurity authorities strongly encourage private sector organizations to follow the same remediation timelines to reduce exposure to cyberattacks.

---

Vendor Defense / Reliance

Organizations operating affected platforms should immediately review vendor guidance and apply available security updates.

Defensive measures include:

• Installing vendor-released security patches
• Restricting external access to management platforms
• Monitoring logs for unusual authentication attempts
• Reviewing outbound network activity for abnormal server requests
• Conducting vulnerability scans across enterprise management infrastructure

Security teams should also monitor endpoint management servers for unexpected configuration changes or unauthorized deployment activity.

---

Forecast — 30 Days

• Increased automated scanning targeting Workspace ONE, SolarWinds, and Ivanti platforms
• Emergence of exploit scripts targeting the newly listed vulnerabilities
• Possible ransomware campaigns targeting vulnerable endpoint management infrastructure
• Expanded probing of government and health care networks
• Increased interest from cyber-criminal groups seeking enterprise control points

---

TRJ Verdict

Each newly listed KEV vulnerability reinforces the same pattern visible across the modern threat landscape.

Attackers no longer focus solely on user workstations or exposed web servers. The most valuable targets now sit deeper inside the enterprise: the systems that control the network itself.

Endpoint managers, device administration platforms, and help desk infrastructure serve as command centers for modern IT environments.

When those systems fall, everything connected to them becomes vulnerable.

The latest KEV additions show that attackers continue to pursue these central control systems because a single successful breach can provide control over entire organizations.

---

---

---

---

---

---

---

---

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

---

---

---

---

---