The U.S. Cybersecurity and Infrastructure Security Agency has expanded its list of actively exploited vulnerabilities by adding three specific flaws affecting Omnissa, SolarWinds, and Ivanti products. Federal agencies are now required to patch these security gaps within the month to mitigate the risk of data breaches and ransomware attacks.
The Cybersecurity and Infrastructure Security Agency recently updated its Known Exploited Vulnerabilities catalog to include three significant security flaws that are currently being leveraged by malicious actors. These vulnerabilities affect Omnissa Workspace One UEM, SolarWinds Web Help Desk, and Ivanti Endpoint Manager. By adding these to the list, CISA is signaling that these issues pose a direct and immediate threat to organizational security across both public and private sectors.
One of the most critical additions is a flaw in SolarWinds Web Help Desk that allows for the execution of commands on a host machine through the deserialization of untrusted data. This particular vulnerability has been linked to activity by the Warlock ransomware group, which uses the exploit to gain initial access to target networks. Because of the high risk of a full system compromise, federal agencies have been given a tight deadline of March 12, 2026, to apply the necessary patches.
Another vulnerability included in the update is a server-side request forgery flaw in Omnissa Workspace One UEM, which was previously known as VMware Workspace One UEM. While this issue was first identified in 2021, recent reports indicate it is being used in a coordinated campaign alongside other similar flaws to access sensitive information without authentication. This highlights a trend where older vulnerabilities are revisited by attackers to exploit unpatched legacy systems.
The third flaw involves an authentication bypass in Ivanti Endpoint Manager that could allow a remote attacker to leak stored credentials. Although specific details regarding how this vulnerability is being weaponized in the wild remain scarce, its inclusion in the catalog confirms that evidence of active exploitation exists. Ivanti has yet to provide a full update on the exploitation status within its own security bulletins, but the threat remains a priority for defense teams.
To protect the federal enterprise, CISA has mandated that all civilian executive branch agencies remediate these flaws by March 23, 2026, with the exception of the SolarWinds fix which is due sooner. CISA emphasized that these types of vulnerabilities are common entry points for cybercriminals and state-sponsored actors. Organizations outside the federal government are also strongly encouraged to prioritize these updates to avoid becoming the next victims of these active exploitation campaigns.
Source: CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Exploited