CVE-2026-1603: CISA Warns of Active Ivanti and SolarWinds Exploitation

On March 9, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog, adding three high-impact flaws currently being leveraged in the wild. according to CISA, these vulnerabilities affect Ivanti Endpoint Manager (EPM), SolarWinds Web Help Desk, and Omnissa Workspace ONE. The inclusion of these flaws in the KEV catalog mandates that Federal Civilian Executive Branch (FCEB) agencies remediate them within a specific timeframe under Binding Operational Directive (BOD) 22-01, though the risks extend to all private-sector enterprises using these technologies.

Ivanti Endpoint Manager Authentication Bypass Mitigation

The most recent of the additions is CVE-2026-1603, an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM). This product is widely used by SOC teams to manage device security across large environments. An authentication bypass in such a central tool is particularly dangerous because it may allow an attacker to gain administrative control over the management console without providing valid credentials. Once access is gained, an APT or other malicious actor could facilitate Lateral Movement across the entire managed fleet, deploying malware or extracting sensitive data. Implementing Ivanti Endpoint Manager authentication bypass mitigation should be the top priority for administrators, as this CVE provides a direct path for attackers to subvert enterprise-wide security controls.

SolarWinds Web Help Desk Exploitation

Also added to the catalog is CVE-2025-26399, which affects SolarWinds Web Help Desk. This vulnerability stems from the deserialization of untrusted data. In a typical attack scenario, a threat actor sends a specially crafted serialized object to the application; if the application fails to validate the input properly, it can lead to RCE. Organizations should use SolarWinds Web Help Desk deserialization exploit detection strategies, such as monitoring for unusual outbound network traffic or unexpected child processes originating from the web server service. Given that help desk software often contains sensitive employee data and integrates with internal directories, a compromise here often leads to a significant Data Breach or Privilege Escalation.

Omnissa Workspace ONE SSRF Risks

The third vulnerability, CVE-2021-22054, is a Server-Side Request Forgery (SSRF) flaw in Omnissa Workspace ONE. While the vulnerability was originally identified years ago, its recent addition to the KEV catalog indicates that CISA has confirmed current, active exploitation. SSRF vulnerabilities allow attackers to compel the server to make requests to internal or external resources that it should not have access to. In cloud-heavy environments, this is frequently used to steal metadata service tokens, which can compromise the entire Cloud Security posture. Applying the Omnissa Workspace ONE CVE-2021-22054 patch is essential for organizations that may have overlooked this legacy vulnerability, as it remains a viable entry point for modern Ransomware groups.

Actionable Recommendations

To defend against these active threats, security teams should adopt the following measures:

• Immediate Patching: Prioritize the updates for Ivanti EPM, SolarWinds Web Help Desk, and Omnissa Workspace ONE. These should be treated with the same urgency as a Zero-Day given their presence in the KEV catalog.
• Enhanced Monitoring: Configure your SIEM and EDR to alert on indicators associated with these products, specifically looking for unauthorized access attempts or suspicious serialized payloads.
• Network Segmentation: Ensure that management interfaces like Ivanti EPM are not exposed directly to the public internet. Adhering to a Zero Trust architecture can limit the blast radius if an authentication bypass occurs.
• Vulnerability Scanning: Run updated scans to identify any forgotten or “shadow IT” instances of these products that may still be running vulnerable CVSS rated versions.