CISA Flags SolarWinds, Ivanti, and Workspace One Flaws in KEV Update

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding security flaws affecting SolarWinds, Ivanti, and Omnissa Workspace One UEM. According to The Hacker News, these additions are based on evidence of active exploitation in the wild. While the specific identifiers for the SolarWinds and Ivanti flaws were part of the broader agency alert, the inclusion of CVE-2021-22054 highlights the persistent threat posed by older vulnerabilities in endpoint management software.

Technical Analysis of CVE-2021-22054

CVE-2021-22054 is a server-side request forgery (SSRF) vulnerability affecting Omnissa Workspace One UEM (formerly managed by VMware). With a CVSS score of 7.5, this flaw allows an unauthenticated network actor to send a specially crafted request to the UEM server. This request is then processed by the server, potentially allowing the attacker to access internal resources that are otherwise protected or restricted.

In an enterprise environment, Workspace One UEM serves as a central hub for managing mobile devices and laptops. An SSRF vulnerability in such a platform is particularly dangerous because it can be used as a beachhead for Lateral Movement within a corporate network. By tricking the server into making requests to internal API endpoints or metadata services, an attacker can harvest credentials, sensitive configurations, or facilitate Privilege Escalation.

Omnissa Workspace One UEM CVE-2021-22054 Exploit Detection

Defenders should focus on identifying anomalous outbound traffic originating from the Workspace One UEM console or API servers. Because the vulnerability involves crafted HTTP requests, monitoring web server logs for unusual URI patterns or requests directed at internal-only IP ranges is a primary detection strategy. Utilizing a SIEM to correlate UEM access logs with internal network traffic can help uncover potential exploitation attempts where the server is being used as an unintended proxy.

Broader Implications for the Software Supply Chain

The inclusion of SolarWinds and Ivanti products alongside Omnissa emphasizes the continued focus by APT groups and other sophisticated actors on the software Supply Chain Attack surface. Vulnerabilities in management and monitoring tools provide high-leverage entry points into targeted environments. For instance, gaining RCE or bypassing authentication in these tools can grant an attacker visibility across the entire fleet of managed devices.

CISA’s decision to flag these as actively exploited signifies that these are not merely theoretical risks. Organizations falling under Binding Operational Directive (BOD) 22-01 are required to remediate these vulnerabilities by the specified deadlines. However, for the private sector, these additions should serve as a signal to review their Ivanti active exploitation mitigation strategies and ensure that all SolarWinds instances are updated to the latest secure versions.

Mitigation and Defense Recommendations

To defend against these threats, security teams should implement the following measures:

• Patch Management: Immediately apply the security updates provided by Omnissa for Workspace One UEM. For SolarWinds and Ivanti, ensure all components are running the latest stable releases that address the KEV-listed flaws.
• Network Segmentation: Restrict the UEM server’s ability to communicate with sensitive internal network segments. Egress filtering should be strictly enforced to ensure the server can only communicate with known, required external and internal endpoints.
• Adherence to Zero Trust: Implement Zero Trust principles by ensuring that management consoles are not exposed to the public internet without additional layers of protection, such as MFA or VPN requirements.
• Continuous Monitoring: Update EDR and SOC monitoring rules to include MITRE ATT&CK techniques associated with SSRF (T1134) and exploitation of remote services (T1210).