CISA KEV update puts Ivanti, SolarWinds, and Omnissa on urgent patch list

CISA’s March 2026 KEV update deserves attention well beyond federal environments. By adding flaws in Ivanti Endpoint Manager, SolarWinds Web Help Desk, and Omnissa Workspace ONE to the Known Exploited Vulnerabilities catalog, the agency effectively signaled that three common enterprise management surfaces now carry real-world exploitation pressure. For defenders, this is not just another vulnerability bulletin. It is a reminder that endpoint administration, help desk tooling, and unified endpoint management platforms remain attractive points of entry because they sit close to credentials, asset visibility, and privileged workflows.

The three CVEs added by CISA are:

• CVE-2026-1603 in Ivanti Endpoint Manager, described by CISA as an authentication bypass that can leak specific stored credential data.
• CVE-2025-26399 in SolarWinds Web Help Desk, a deserialization issue tied to active exploitation and post-compromise tooling deployment.
• CVE-2021-22054 in Omnissa Workspace ONE, a server-side request forgery issue that still matters because exposed management systems age badly when they linger in enterprise estates.

Why this KEV update matters

The key message is not simply that CISA added three flaws. It is that all three affect systems designed to centralize control. When attackers gain access to platforms that manage endpoints, tickets, credentials, or administrative workflows, they do not just compromise one host. They often gain the visibility and leverage needed for broader lateral movement, credential exposure, or follow-on incident response disruption.

CISA’s KEV catalog is not theoretical. The catalog exists specifically for flaws known to have been exploited in the wild. That makes the March 9 addition a practical prioritization signal for any organization running one of these products, even outside the U.S. federal ecosystem.

Breaking down the exposure

Ivanti Endpoint Manager: credential risk from an internet-facing admin platform

According to CISA and follow-up reporting, CVE-2026-1603 affects Ivanti EPM versions before 2024 SU5 and can allow a remote unauthenticated attacker to leak stored credential data. That combination matters because EPM is exactly the kind of product defenders use to orchestrate software deployment, patching, and endpoint control at scale. A weakness in that plane can become a force multiplier for attackers.

BleepingComputer reported that CISA added the flaw to KEV on March 9 and gave federal agencies until March 23 to remediate it. CSO Online noted that the vulnerability was patched in February and impacts versions prior to 2024 SU5. Even where direct exploitation details remain limited, the defensive implication is clear: any externally reachable or weakly segmented EPM deployment deserves urgent validation.

The mention of low-complexity exploitation paths and credential leakage also increases the likelihood that attackers could chain the issue into broader access operations. For blue teams, this means reviewing not only patch status but also what secrets, service accounts, and delegated permissions are stored or exposed through the EPM environment.

SolarWinds Web Help Desk: exploitation is no longer hypothetical

The SolarWinds item may be the most operationally vivid of the three. Huntress documented observed exploitation of Web Help Desk across customers and described follow-on activity including remote management tooling, Velociraptor deployment, Cloudflare tunnel use, and defensive control disruption. That is a strong reminder that once a public-facing admin product is compromised, adversaries often move quickly from initial exploit to persistence and environment triage.

This matters because help desk products are often internet-accessible by design or are connected to internal systems with broad visibility. An exploited help desk platform can become a staging point for privilege escalation, remote administration abuse, or rapid attacker orientation inside the network.

For many defenders, the key SolarWinds lesson is not only “patch fast.” It is also “assume post-exploitation tradecraft if you were exposed.” If a vulnerable Web Help Desk instance was reachable, teams should consider log review, unusual RMM activity, suspicious MSI executions, outbound tunnel creation, and any disabling of endpoint protections.

Omnissa Workspace ONE: older flaws do not become harmless

CVE-2021-22054 is the oldest entry in the trio, and that is precisely what makes it useful as a lesson. Organizations frequently carry legacy exposure in device-management stacks long after the original advisory cycle has faded. Once a flaw shows up in KEV, defenders should treat it as a sign that the industry’s long tail of unpatched or forgotten systems is still feeding attacker operations.

The Omnissa issue is a server-side request forgery weakness in Workspace ONE. Even without the same volume of fresh public reporting as the SolarWinds case, its inclusion in KEV signals that real exploitation evidence exists. That should push defenders to reassess any lingering assumptions that old UEM flaws are “probably already handled.” In many estates, they are not.

What defenders should do next

A solid response starts with exposure mapping, not patching theater.

• Identify every internet-facing or externally reachable instance of Ivanti EPM, SolarWinds Web Help Desk, and Omnissa Workspace ONE.
• Confirm version and patch status immediately. For Ivanti, that means checking for 2024 SU5 or later where applicable.
• Review logs for post-exploitation behaviors, especially around remote management installs, credential access, suspicious PowerShell, and outbound tunnels.
• Tighten network segmentation around management infrastructure so a single admin platform does not provide easy pathways to the rest of the environment.
• Reassess secrets hygiene and privileged workflows tied to these systems, especially service accounts, stored credentials, and delegated admin roles.
• Feed the update into your threat intelligence and detection pipelines so SOC teams can hunt for product-specific indicators and unusual management-plane behavior.

This is also a good moment to revisit a broader architectural question: should high-value administrative systems be reachable from the public internet at all? Where business reality forces some exposure, stronger access control, isolation, and monitoring become mandatory rather than optional.

Strategic takeaway

The March 2026 KEV additions reinforce a pattern defenders keep seeing: management software is not just support infrastructure. It is part of the attack surface that matters most. Attackers like these systems because they compress privilege, visibility, and operational control into a single place.

That is why this CISA update should be read as more than a patch notice. It is a warning about concentration risk. When endpoint managers, help desk consoles, and UEM platforms fall behind on updates or remain too exposed, they turn into efficient launchpads for intrusion activity. The organizations that respond well will be the ones that pair rapid remediation with hard questions about exposure, segmentation, and trust boundaries.

References

1. CISA Adds Three Known Exploited Vulnerabilities to Catalog
2. Known Exploited Vulnerabilities Catalog entry for CVE-2026-1603
3. CISA: Recently patched Ivanti EPM flaw now actively exploited
4. Active Exploitation of SolarWinds Web Help Desk
5. CISA warns of actively exploited Ivanti EPM and Cisco SD-WAN flaws
6. CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited