Navigation section

CISA Adds 3 High Risk Flaws to KEV Catalog — Patch Now to Stop Targeted Attacks

  • Thread Author
CISA’s decision to add three high-risk flaws to the Known Exploited Vulnerabilities (KEV) Catalog is a stark reminder that attackers are continuing to weaponize long-established weakness classes — SSRF, insecure deserialization, and authentication bypass — and that organizations which delay remediation are being actively targeted now.

Hooded figure reviews a KEV CATALOG of CVEs—SSRF, insecure deserialization, and auth bypass.Background​

The Cybersecurity and Infrastructure Security Agency’s KEV Catalog exists to catalog vulnerabilities for which there is evidence of active exploitation in the wild. That list is the operational backbone of Binding Operational Directive 22-01 (BOD 22-01), which requires Federal Civilian Executive Branch (FCEB) agencies to remediate cataloged vulnerabilities within the accelerated timeframes CISA prescribes. While BOD 22-01 legally binds federal agencies, the KEV list functions as a de‑facto prioritization roadmap for all enterprises: if CISA adds a CVE to the catalog, it has observed — or received credible reporting of — exploitation, and that vulnerability should be an immediate priority for defenders everywhere.
On March 9, 2026, CISA added three vulnerabilities to the KEV Catalog that meet that standard of active exploitation:
  • CVE-2021-22054 — a Server-Side Request Forgery (SSRF) issue in Workspace ONE UEM (now referenced in some vendor documents under the Workspace ONE family / Omnissa branding).
  • CVE-2025-26399 — an unauthenticated deserialization flaw in SolarWinds Web Help Desk’s AjaxProxy component that can lead to remote code execution (RCE).
  • CVE-2026-1603 — an authentication bypass in Ivanti Endpoint Manager (EPM) that allows disclosure of stored credentials.
Each of these flaws represents a proven, high-impact attack vector: SSRF can reach internal-only services and exfiltrate metadata or credentials; insecure deserialization frequently yields system-level code execution; authentication bypasses expose administrative secrets that enable lateral movement and persistent access. In short, these are the kinds of bugs attackers chain together to obtain full enterprise control.

Why these three matter now​

CVE-2025-26399 — SolarWinds Web Help Desk: unauthenticated deserialization → RCE​

SolarWinds Web Help Desk’s AjaxProxy component incorrectly deserializes untrusted input, enabling unauthenticated remote attackers to execute arbitrary code as the host process. This is among the most dangerous classes of vulnerability because:
  • It often requires no user interaction and no valid credentials.
  • Successful exploitation generally results in full system compromise, persistent foothold, and easy pivoting into internal networks.
  • Attackers have been observed using this family of flaws to deploy legitimate remote admin tools, tunnels, and forensic tools to mask activity and maintain persistence.
Operational recommendation: treat this as an immediate emergency. If you operate SolarWinds Web Help Desk (WHD), inventory all instances, confirm versions, and apply vendor hotfixes or upgrades without delay. For systems that cannot be patched immediately, isolate WHD from untrusted networks, block the AjaxProxy endpoint at the network perimeter, and enforce strict egress filtering from the WHD host.

CVE-2026-1603 — Ivanti Endpoint Manager: authentication bypass and credential leakage​

Ivanti EPM’s authentication bypass lets an unauthenticated actor access paths or channels that should be restricted, exposing stored credentials. The core risk here is credential compromise:
  • Credential disclosure from a centralized management platform is effectively an invitation for broad lateral movement across managed endpoints.
  • Attackers can reuse credentials, impersonate administrators, or bootstrap privilege escalation chains.
  • In environments that depend on EPM to push configuration and software, attackers can weaponize the management channel itself.
Operational recommendation: immediately identify EPM instances running affected versions (notably versions prior to the vendor’s patched release). Apply vendor updates and treat any EPM server that was internet-exposed or reached from untrusted networks as potentially compromised: rotate all credentials stored in or used by EPM, audit changes, and perform forensic validation of endpoint integrity.

CVE-2021-22054 — Workspace ONE UEM: SSRF to internal resource access​

Server‑Side Request Forgery (SSRF) vulnerabilities in device-management consoles like Workspace ONE UEM are dangerous because those consoles often sit at a privileged network position. SSRF can be used to:
  • Access internal-only services (metadata servers, management APIs, internal databases).
  • Retrieve secrets or tokens from cloud metadata endpoints.
  • Bounce requests to services not directly reachable by the attacker, turning a single vulnerable web interface into a springboard for reconnaissance and credential theft.
Operational recommendation: ensure Workspace ONE consoles are patched to vendor-recommended versions; if patching will take time, restrict access to management consoles via network segmentation, allowlist only known administrative IP ranges, and deploy application-layer protections that block proxying of arbitrary URLs.

Technical snapshot: what defenders need to know​

Exploitation profile and attacker behaviour​

  • SolarWinds WHD (deserialization): attackers exploit AjaxProxy to upload or trigger crafted serialized objects; common post-exploitation behavior includes pushing legitimate remote-management utilities, spinning up tunnels (for example, Cloudflare tunnels), and installing lightweight command-and-control or DFIR tools to maintain access and evade detection.
  • Ivanti EPM (auth bypass): attackers exploit alternate API paths or flawed authentication checks to query endpoints that return credential material or configuration data. The technique can be automated and used as an initial access or credential-gathering step.
  • Workspace ONE (SSRF): attackers craft requests that force the management console to issue internal network calls; successful SSRF often precedes discovery of internal services and targeted credential exfiltration.

Affected versions and remediation status (practical summary)​

  • SolarWinds Web Help Desk: the critical AjaxProxy deserialization issue affects VWHD builds prior to the hotfix/patch released by the vendor. Vendors have published hotfixes and subsequent updates that remediate the root cause; administrators should move to the vendor‑released fixed builds or to the vendor’s recommended long-term release that bundles all hotfixes.
  • Ivanti Endpoint Manager: vendor advisories identify affected 2024 releases prior to the cumulative update (SU5). The vendor has released updates addressing the authentication bypass and associated SQLi issue; vulnerable builds should be upgraded to the fixed 2024 SU5 (or later) package.
  • Workspace ONE UEM SSRF: originally disclosed in late 2021, vendor security advisories identified specific console versions that must be upgraded; administrators who still run legacy on‑prem consoles need to confirm they have applied the vendor fixes.
Note: If your environment includes a managed or vendor-hosted deployment, coordinate with the service provider to confirm whether the managed instance has been updated or requires action on your part.

Detection and response playbook​

A rapid defensive posture should include both proactive hardening and targeted detection:

Proactive hardening (apply now)​

  • Patch or upgrade the affected products to vendor‑released fixed versions.
  • Remove internet exposure for management interfaces unless strictly necessary.
  • Impose allowlists that limit administrative access to known IP ranges and VPN segments.
  • Segment management servers into isolated VLANs with tight firewall rules; limit their ability to initiate outbound connections.
  • Rotate and rekey credentials that are stored in affected management platforms after patching and after a forensic triage to rule out compromise.

Detection and hunting (short-term practical checks)​

  • SolarWinds WHD:
  • Monitor web server logs for anomalous POSTs or serialized payloads to AjaxProxy endpoints.
  • Detect unusual process creation on the WHD host, especially binaries or interpreters (PowerShell, Python, Bash) invoked from the WHD service account.
  • Look for new scheduled tasks, suspicious service installations, or unexpected outbound TLS connections immediately after web requests to WHD.
  • Ivanti EPM:
  • Audit access logs for unusual anonymous or unauthenticated API calls.
  • Search for queries to credential-store APIs or database queries returning credential-like strings.
  • Detect unexpected configuration pushes or changes, and abnormal connections from EPM servers to endpoints.
  • Workspace ONE SSRF:
  • Identify outbound requests initiated by the UEM console to internal addresses (e.g., 169.254.169.254 cloud metadata endpoints, internal API endpoints).
  • Search for patterns where external attackers’ requests result in server‑side calls to internal services.

Incident response checklist (if you suspect exploitation)​

  • Isolate the affected management server from untrusted networks while preserving forensic evidence.
  • Capture volatile system state (memory, network connections, running processes) and collect web server and application logs.
  • Identify and snapshot affected systems for offline forensics before applying remediation that could remove evidence.
  • Rotate credentials exposed or used by the affected product — including API keys, service accounts, and administrative passwords.
  • Perform endpoint integrity checks across systems managed by the affected console for abnormal binaries, scheduled tasks, or persistence mechanisms.
  • Engage vendor incident response if required; coordinate with legal/compliance and threat‑intelligence teams to assess scope.

Practical remediation for constrained organizations​

Many organizations do not have the luxury of immediate, risk‑free patch windows. Here are practical mitigations that reduce exposure while planning a full patch rollout:
  • Network-level controls:
  • Place management interfaces behind strict access control lists (ACLs) and VPN or jump hosts.
  • Block the AjaxProxy endpoint and other risky application endpoints at the perimeter until patches are applied.
  • Enforce egress filtering on management servers so that they cannot reach arbitrary external hosts — this limits exfiltration and prevents tunneling.
  • Application-layer controls:
  • Deploy a web application firewall (WAF) or application gateway with tailored rules to block suspicious serialized payloads, unusual content types, or requests that attempt to leverage SSRF/payload injection patterns.
  • Use runtime application self‑protection agents (RASP) where available to detect anomalous object deserialization and block runtime exploitation attempts.
  • Operational controls:
  • Shorten credential lifespans by rotating critical authentication material proactively in systems managed by vulnerable consoles.
  • Enforce least privilege: reduce the stored credentials’ scope and privilege level so that stolen secrets have limited utility.
  • Increase monitoring cadence on critical assets (more frequent backups, enhanced logging, and centralized SIEM parsing of newly identified indicators).

What this means for federal agencies and compliance​

Under BOD 22-01, the moment CISA adds a CVE to the KEV Catalog it triggers a federal remediation clock. Agencies are required to report and remediate the listed issue within the timeline specified in the KEV entry. Failure to remediate can lead to escalation and mandatory mitigation actions imposed by CISA.
For non‑federal organizations the legal directive does not apply, but the operational reality is the same: KEV additions reflect confirmed exploitation, and delaying remediation invites compromise. Organizations that manage critical infrastructure, supply chains, or large fleets of endpoints should treat KEV entries as operational emergencies and prioritize them above lower-risk housekeeping patches.

Strategic analysis: why these vulnerabilities are attractors and how attackers use them together​

  • Insecure deserialization (SolarWinds) gives attackers a fast route to arbitrary code execution. Once code execution is obtained, attackers prefer to install legitimate remote-administration tools (remote monitoring, remote support) because they blend into normal operations and are less likely to be flagged by defenders.
  • Credential leakage (Ivanti EPM) is the fuel for lateral movement. Attackers who can extract admin credentials from an EPM platform can enroll endpoints, deploy payloads, or manipulate agent configurations remotely.
  • SSRF (Workspace ONE) is an exploratory reconnaissance and privilege-amplification technique: SSRF can be used to reach internal cloud metadata services or management APIs that are otherwise inaccessible, yielding tokens or credentials to then exploit management platforms.
When chained, these weaknesses produce a high-fidelity attack sequence: SSRF to discover internal services → exploit deserialization to execute code on a management host → extract credentials from that host or from an unattended management console → reuse those credentials to expand control across the enterprise. That chain is why each single entry in the KEV catalog matters — and why the catalog is intentionally aggressive in prioritization.

Organizational checklist: immediate, short-term, and long-term actions​

Immediate (within 24–72 hours)​

  • Confirm whether you run the affected software versions. If yes, schedule emergency patching according to vendor advisories.
  • If patching is not immediate, apply network isolation and allowlisting for management interfaces.
  • Increase monitoring and retention for logs from the affected applications and hosts.
  • Notify leadership, security operations, and incident response teams of KEV additions and internal exposures.

Short-term (1–2 weeks)​

  • Apply vendor-supplied hotfixes or upgrades and validate successful deployment.
  • Rotate any potentially exposed credentials and keys.
  • Perform a targeted hunt for indicators of compromise related to these vulnerabilities (unexpected binaries, remote admin tool installations, new tunnels, and unusual outbound connections).
  • Implement additional WAF or IDS rules to mitigate exploitation attempts.

Long-term (30–90 days)​

  • Reassess vulnerability management to ensure KEV catalog entries are consumed and remediated promptly (credentialed scanning cadence, rapid patch verification).
  • Harden management platforms: minimize attack surface, remove unnecessary modules, and enforce least privilege.
  • Conduct post‑incident tabletop exercises simulating chained exploitation of management consoles to validate detection and response playbooks.

Risks, tradeoffs, and common pitfalls​

  • Overreliance on perimeter controls: A WAF or firewall can mitigate many exploitation paths, but misconfigurations and bypass techniques are common. Do not treat network controls as a substitute for patching.
  • Delaying credential rotation: Patching prevents future exploitation, but if a vulnerability has been exploited, previously leaked credentials remain valid until rotated.
  • Blind trust in vendor updates: Vendors publish advisories and hotfixes, but history shows patch bypasses and partial fixes occur — validate vendor fixes in a test environment and confirm they close the operational vectors you care about.
  • Silent compromise: Management consoles are high-trust infrastructure. If you find they were accessible from the internet or exposed to untrusted networks, assume compromise until proven otherwise and prioritize forensic investigation.

Closing assessment: posture, priority, and the path forward​

CISA’s KEV additions are not theoretical exercises; they reflect observed in-the-wild attacks. The three vulnerabilities added on March 9, 2026 — an SSRF affecting Workspace ONE, an unauthenticated deserialization in SolarWinds Web Help Desk, and an Ivanti Endpoint Manager authentication bypass — all map to very real adversary tradecraft: reconnaissance, credential theft, and remote code execution. Each is enough, on its own, to cause a major incident in a poorly defended environment; together they underline why defenders must treat management consoles and help-desk systems as crown-jewel assets.
If you manage affected software, do not defer action. Patch, isolate, rotate credentials, and hunt actively. For security leaders, use this moment to force-tested the organization’s ability to triage KEV additions: can you identify affected assets within hours? Can you deploy mitigations without breaking business-critical workflows? Can you validate remediation and re‑issue credentials rapidly if needed?
The KEV Catalog exists because attackers continue to find value in time-tested vulnerability classes. Your operational maturity will be measured by how quickly you convert a public advisory into shored-up defenses, verified patch status, and a minimized attack surface. Prioritize accordingly — the cost of inaction is no longer hypothetical.
Source: CISA CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
 

Click to expand...
You must log in or register to reply here.
Back
Top