Federal agencies face urgent patch deadlines as threat actors actively exploit enterprise software vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three critical vulnerabilities affecting widely used enterprise software to its Known Exploited Vulnerabilities (KEV) catalog, confirming that threat actors are actively exploiting them in real-world attacks.
This development places organizations using SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Workspace One UEM under immediate pressure to patch affected systems. Because these platforms are commonly used for IT service management and endpoint administration, attackers view them as valuable entry points into corporate networks.
The vulnerabilities include flaws that enable remote command execution, authentication bypass, and server-side request forgery (SSRF). As a result, attackers can move beyond initial access and potentially escalate their presence inside enterprise environments.
SolarWinds Web Help Desk Vulnerability Enables Remote Command Execution
The most critical vulnerability identified is CVE-2025-26399, which carries a CVSS score of 9.8. This flaw affects the AjaxProxy component in SolarWinds Web Help Desk and involves the deserialization of untrusted data.
If successfully exploited, attackers can execute arbitrary commands on the host system. Consequently, they may gain full control over the affected server and pivot deeper into internal networks.
Security researchers have already linked exploitation attempts to the Warlock ransomware group, which reportedly uses the vulnerability to gain initial access before deploying ransomware or conducting data theft operations.
Workspace One SSRF Vulnerability Exposes Sensitive Data
Another vulnerability, CVE-2021-22054, impacts Omnissa Workspace One UEM (previously VMware Workspace One UEM). This issue involves a server-side request forgery (SSRF) flaw that allows attackers with network access to send unauthorized requests without authentication.
Through this technique, malicious actors may retrieve sensitive system information or abuse internal services that are normally restricted.
Security monitoring platform GreyNoise previously observed this vulnerability being exploited alongside other SSRF flaws in multiple products. Therefore, researchers believe attackers may be conducting coordinated scanning campaigns targeting enterprise infrastructure.
Ivanti Endpoint Manager Authentication Bypass Raises Credential Risks
The third vulnerability, CVE-2026-1603, affects Ivanti Endpoint Manager and carries a CVSS score of 8.6. The flaw allows attackers to bypass authentication through alternate access paths and potentially expose stored credential data.
Although there are currently limited details on how attackers exploit this vulnerability in the wild, its inclusion in the KEV catalog indicates confirmed active exploitation.
Because credential exposure can enable lateral movement across enterprise networks, this vulnerability represents a serious operational risk for organizations relying on centralized endpoint management tools.
Federal Agencies Given Urgent Patch Deadlines
Following the KEV catalog update, Federal Civilian Executive Branch (FCEB) agencies must apply remediation measures within strict deadlines.
Agencies have until March 12, 2026 to patch the SolarWinds Web Help Desk vulnerability. Meanwhile, they must address the Ivanti and Workspace One vulnerabilities by March 23, 2026.
CISA emphasized that vulnerabilities affecting enterprise management platforms frequently become high-value targets for cybercriminal groups and state-sponsored attackers.
What This Means for Organizations
These vulnerabilities highlight a recurring challenge in cybersecurity: tools designed to manage IT infrastructure can also become powerful attack vectors.
Attackers actively search for weaknesses in enterprise software because successful exploitation can grant them administrative access, sensitive data exposure, or a pathway to deploy ransomware.
Therefore, organizations should prioritize the following defensive measures:
- Apply vendor patches immediately
- Monitor network activity for abnormal management tool behavior
- Restrict external access to administrative platforms
- Implement strong credential management policies
- Conduct vulnerability scanning across enterprise systems
Meanwhile, security teams should review threat intelligence feeds to detect potential exploitation attempts targeting these vulnerabilities.
In an environment where attackers increasingly focus on enterprise management platforms, rapid patching and proactive monitoring remain critical to preventing large-scale compromise.