Security News CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited

[Divergent]

Content source

https://thehackernews.com/2026/03/cisa-flags-solarwinds-ivanti-and.html

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited

CISA adds 3 exploited flaws—SolarWinds, Ivanti, Workspace One—to KEV after attacks, forcing federal patch deadlines in March 2026.

thehackernews.com

 

[Divergent]

Executive Summary

Confirmed Facts
CISA has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. These zero-day and N-day flaws affect the AjaxProxy component of SolarWinds Web Help Desk, Omnissa Workspace One UEM, and Ivanti Endpoint Manager.

Assessment
These vulnerabilities represent critical enterprise perimeter threats that can lead to remote code execution and initial access for ransomware operators.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1190
(Exploit Public-Facing Application).

CVE Profile

CVE-2025-26399: 9.8 NVD Score
CISA KEV Status Active

CVE-2026-1603: 8.6 NVD Score
CISA KEV Status Active

CVE-2021-22054: 7.5 NVD Score
CISA KEV Status Active

Telemetry

Target applications identified
SolarWinds Web Help Desk, Workspace One UEM, and Ivanti Endpoint Manager.

Target components identified
The "AjaxProxy" component of SolarWinds is specifically targeted by CVE-2025-26399.

Threat Actor tracking
Activity tied to CVE-2025-26399 is believed to be the work of the Warlock ransomware crew.

Constraint
The structure suggests network-based Remote Code Execution (RCE) and Server-Side Request Forgery (SSRF) payloads, but explicit binary chain-of-custody is not provided in the current telemetry.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Federal Civilian Executive Branch (FCEB) agencies must apply the fix for SolarWinds Web Help Desk by March 12, 2026.

Command
FCEB agencies must apply the fixes for Ivanti and Workspace One by March 23, 2026.

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM queries for unusual deserialization anomalies or SSRF patterns targeting the "AjaxProxy" application path or UEM network requests.

RESPOND (RS) – Mitigation & Containment

Command
Isolate unpatched SolarWinds Help Desk, Ivanti EPM, and Workspace One UEM instances from the internet immediately to disrupt unauthorized requests and credential leaks.

RECOVER (RC) – Restoration & Trust

Command
Validate integrity of stored credentials exposed by CVE-2026-1603 before restoring Ivanti services to production.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Audit public-facing perimeter for shadow IT running end-of-life or unpatched network management software to reduce the external attack surface.

Remediation - THE HOME USER TRACK (Safety Focus)

Constraint Applied
Environmental Reality Check confirms the affected software is strictly enterprise-grade. The Threat Level for standard home environments is Theoretical/Low. Emergency disconnection is not required unless manually hosting these IT platforms.

Priority 1: Safety

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions.

Hardening & References

Baseline
CIS Benchmarks for Enterprise Web Server and Edge Device Security.

Framework
NIST CSF 2.0 / SP 800-61r3.

CISA Directive
KEV Catalog Addition (March 2026).

Source

The Hacker News

CISA KEV Catalog