The US Cybersecurity and Infrastructure Security Agency (CISA) has added three recently disclosed security flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild.
One of the vulnerabilities, tracked as CVE-2021-22054, affects Omnissa Workspace One UEM, previously known as VMware Workspace One UEM. The flaw is a server-side request forgery (SSRF) issue that could allow a malicious actor with network access to the UEM environment to send unauthorized requests and potentially access sensitive information without authentication. Threat intelligence firm GreyNoise previously reported that the flaw was being abused as part of a SSRF exploitation surge targeting multiple enterprise products.
Another vulnerability (CVE-2025-26399) impacts the AjaxProxy component in SolarWinds Web Help Desk. The flaw stems from the deserialization of untrusted data, enabling attackers to execute arbitrary commands on the affected host system. According to reports from Microsoft and Huntress, threat actors have been exploiting the vulnerability to gain initial access to networks. The activity is believed to be linked to the Warlock ransomware group, which has been observed targeting vulnerable installations of the help desk platform.
The third flaw, CVE-2026-1603, affects Ivanti Endpoint Manager. The vulnerability is an authentication bypass through an alternate path or channel, potentially allowing a remote unauthenticated attacker to extract certain stored credential data from affected systems. At present, there are no additional details on how the flaw is being exploited.