US cyber agency warns of exploitation of 3 vulnerabilities, including SolarWinds and Ivanti bugs – CVE-2025-26399 (CVSS 9.8)

Estimated reading time: 6 minutes

Key Takeaways:

  • CISA has added critical vulnerabilities in SolarWinds, Ivanti, and VMware to its Known Exploited Vulnerabilities (KEV) catalog.
  • CVE-2025-26399 (SolarWinds) is a critical 9.8 CVSS RCE caused by a patch bypass on previous deserialization fixes.
  • Ivanti Endpoint Manager (CVE-2026-1603) allows authentication bypass, granting administrative control over managed assets.
  • Legacy vulnerabilities like CVE-2021-22054 in VMware remain active targets for internal network reconnaissance.

Table of Contents:

The United States Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation of three specific flaws. The update follows reports that threat actors are successfully targeting installations of SolarWinds Web Help Desk, Ivanti Endpoint Manager, and VMware Workspace ONE. This development requires immediate attention from security teams responsible for maintaining these platforms, as the vulnerabilities provide pathways for remote code execution, authentication bypass, and sensitive information disclosure.

The most critical of these flaws is CVE-2025-26399, which affects SolarWinds Web Help Desk and carries a CVSS score of 9.8. This vulnerability involves the deserialization of untrusted data, a recurring issue in this specific product line. Additionally, Ivanti Endpoint Manager is affected by CVE-2026-1603, an authentication bypass bug with a CVSS score of 8.6. Rounding out the trio is an older Server-Side Request Forgery (SSRF) flaw in VMware Workspace ONE UEM, identified as CVE-2021-22054. The inclusion of these vulnerabilities in the KEV catalog indicates that CISA has confirmed evidence of active exploitation in the wild, necessitating prioritized remediation according to Binding Operational Directive (BOD) 22-01.

Security analyst reviews CVE-2025-26399 SolarWinds exploit advisory on multiple monitors

US cyber agency warns of exploitation of 3 vulnerabilities, including SolarWinds and Ivanti bugs

The technical details of these vulnerabilities indicate a focused effort by threat actors to compromise enterprise management and help desk software. These tools are often granted high levels of privilege within a network, making them ideal targets for initial access and lateral movement.

SolarWinds Web Help Desk: CVE-2025-26399 (CVSS 9.8)

CVE-2025-26399 is a critical vulnerability found in SolarWinds Web Help Desk (WHD) versions 12.8.7 and earlier. The technical root cause is the deserialization of untrusted data. In Java-based applications like WHD, deserialization vulnerabilities occur when an application takes data from an untrusted source and attempts to reconstruct an object without sufficient validation. This can be exploited by an attacker to execute arbitrary commands on the host machine.

This specific CVE is a patch bypass for CVE-2024-28988, which was itself a bypass for CVE-2024-28986. The repeated discovery of bypasses suggests that previous remediation attempts focused on specific exploit payloads rather than addressing the underlying insecure deserialization sink. Security researchers at Huntress reported observing threat actors exploiting this vulnerability across multiple customer environments in early February 2026. Because Web Help Desk often integrates with Active Directory and other sensitive internal systems, an RCE on this platform provides a significant foothold for attackers.

Data from our cyber threat intelligence platform indicates that exploit code for Java deserialization bugs is frequently shared within specialized communities. Organizations utilizing SolarWinds WHD must upgrade to version 12.8.7 HF1 to mitigate this risk.

Ivanti Endpoint Manager: CVE-2026-1603 (CVSS 8.6)

Ivanti Endpoint Manager (EPM) is currently targeted via CVE-2026-1603. This is an authentication bypass vulnerability affecting versions prior to 2024 SU5. Authentication bypass bugs are particularly dangerous because they allow an attacker to gain access to administrative functionalities without needing valid credentials.

While Ivanti initially stated they were not aware of customer exploitation prior to public disclosure, CISA’s decision to add it to the KEV catalog confirms that exploitation is occurring. In the context of supply-chain risk monitoring, vulnerabilities in endpoint management software are high-impact events. EPM tools have agents installed on nearly every device in an enterprise, meaning a compromise of the central server could lead to a wide-scale compromise of the entire workstation and server fleet.

Security teams should correlate logs from Ivanti EPM consoles with real-time ransomware intelligence to identify if this access is being leveraged by known ransomware affiliates for mass software deployment of encryptors.

VMware Workspace ONE UEM: CVE-2021-22054

The inclusion of CVE-2021-22054 is a reminder that older vulnerabilities remain viable for attackers. This SSRF vulnerability impacts several versions of the VMware Workspace ONE UEM console (20.0.8, 20.11.0, 21.2.0, and 21.5.0).

An SSRF flaw allows a malicious actor with network access to send unauthorized requests from the server. This can be used to gain access to sensitive internal information or to reach other internal services that are not directly exposed to the internet. Despite the age of the vulnerability-dating back to 2021-it continues to be exploited, often because legacy systems are left unpatched or are forgotten during infrastructure migrations.

The persistence of exploitation for CVE-2021-22054 emphasizes the need for a comprehensive dark web monitoring service. Threat actors frequently document and sell lists of “low-hanging fruit,” which include unpatched legacy systems accessible via the public internet.

The targeting of management software like SolarWinds and Ivanti fits a broader pattern of “living off the land” and supply chain exploitation. Attackers recognize that compromising a single management node is more efficient than attacking a hundred individual endpoints.

Deserialization Mechanics
In the case of SolarWinds, the vulnerability exists in how the application handles Java objects. When an attacker sends a specially crafted serialized object to the application, the Java Virtual Machine (JVM) attempts to deserialize it. If the application has “gadget chains” available in its classpath, the attacker can achieve RCE. This is why breach detection protocols should focus on the subsequent behavior of the Java process, such as unexpected shell execution or outbound network connections to unknown IPs.

Authentication Bypass Mechanics
For Ivanti, the authentication bypass likely involves a failure in how the web component of the EPM console validates session tokens or handles specific API requests. Attackers may use telegram threat monitoring to find leaked “one-liners” that automate detection. Once the bypass is achieved, the attacker has administrative control over the EPM environment, allowing them to push malicious packages to all managed endpoints.

SSRF and Internal Reconnaissance
The VMware SSRF vulnerability is a tool for reconnaissance. By forcing the Workspace ONE UEM console to make requests on their behalf, attackers can map out the internal network and potentially steal metadata from cloud environments (such as AWS/Azure instance metadata services). This is often a precursor to a larger data breach.

Operationalizing Threat Intelligence

To manage the risks posed by these vulnerabilities, organizations should utilize a variety of intelligence sources. Underground forum intelligence is essential for identifying when an exploit moves from a private proof-of-concept to a publicly available exploit kit. Once an exploit is public, the volume of scanning activity increases exponentially.

Furthermore, live ransomware API integrations can help organizations prioritize patching. If a specific CVE, like CVE-2025-26399, is being actively used by a ransomware group to gain initial access, the urgency of the patch increases beyond what the CVSS score alone might suggest.

Monitoring for brand leak alerting is also necessary. If an organization is running an unpatched version of Ivanti or SolarWinds, their credentials or internal data may already be present in data dumps. Threat actors often use these vulnerabilities to exfiltrate configuration files which may contain hardcoded credentials or API keys.

Practical Takeaways for Technical Staff

  1. Inventory and Version Check: Immediately identify all instances of SolarWinds Web Help Desk, Ivanti Endpoint Manager, and VMware Workspace ONE UEM. Verify build and version numbers.
  2. SolarWinds Remediation: Upgrade Web Help Desk to version 12.8.7 HF1. If immediate patching is not possible, restrict network access to the WHD interface to trusted IPs.
  3. Ivanti Remediation: Apply the 2024 SU5 update for Ivanti EPM. Review administrative audit logs for unauthorized user creations.
  4. VMware Remediation: Ensure Workspace ONE UEM consoles are updated to version 21.5.0.37 or later. If legacy, consider decommissioning or placing behind a VPN.
  5. Log Analysis: Search for indicators of compromise (IoCs). For SolarWinds, look for unusual child processes of the Java executable (e.g., cmd.exe).
  6. Configuration Hardening: Disable unnecessary features in management consoles. Ensure service accounts run with the least privilege possible.

Practical Takeaways for Business Leaders

  1. Risk Prioritization: A CVSS 9.8 vulnerability in a management tool is a critical incident. Ensure IT teams have authorization for out-of-band patching.
  2. Vendor Management: Incorporate supply-chain risk monitoring into procurement to ensure vendors are held accountable for effective patching.
  3. Incident Readiness: Confirm that incident response teams have updated playbooks for handling a compromise of management infrastructure.
  4. Security Investment: Ensure the organization utilizes a cyber threat intelligence platform to receive early warnings.

PurpleOps Capability and Expertise

PurpleOps provides the infrastructure and expertise required to navigate these threats. Our Cyber Threat Intelligence services are designed to identify active exploitation trends before they result in a breach. By monitoring diverse data sources, including Dark Web Monitoring, we provide early warnings that allow organizations to patch preemptively.

For organizations concerned about the security of their management software, our Penetration Testing and Red Team Operations teams can simulate the exact techniques used by threat actors to exploit vulnerabilities like CVE-2025-26399 and CVE-2026-1603. This helps identify if your current security controls are capable of detecting and blocking such attacks.

Furthermore, our focus on Supply Chain Information Security ensures that you are aware of the risks posed by the software vendors you rely on. We provide the tools to Protect Against Ransomware by identifying the initial access vectors, such as these CISA KEV vulnerabilities, and closing them before they can be exploited.

By integrating the PurpleOps Platform into your security operations, you gain access to a centralized hub for managing your Services and threat data. This approach ensures that technical debt-like the old VMware SSRF bug-does not become a pathway for a modern attack.

The exploitation of these three vulnerabilities highlights the persistent interest threat actors have in enterprise management platforms. The “patch bypass” nature of the SolarWinds bug particularly underscores the difficulty in completely eradicating deserialization risks in legacy codebases. Organizations must transition from reactive patching to a more proactive stance, utilizing threat intelligence to prioritize their defensive efforts.

Frequently Asked Questions

What is the significance of CVE-2025-26399 in SolarWinds Web Help Desk?
It is a critical Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8. It is particularly dangerous because it acts as a patch bypass for previous fixes regarding insecure deserialization.

Which version of Ivanti Endpoint Manager is affected by the authentication bypass?
The vulnerability (CVE-2026-1603) affects all versions of Ivanti EPM prior to the 2024 SU5 update.

Why is CISA warning about a VMware vulnerability from 2021?
Despite its age, CVE-2021-22054 is still being actively exploited in the wild, likely targeting legacy systems that have been overlooked during migration or maintenance cycles.

What are the primary risks associated with these vulnerabilities?
The risks include remote code execution (RCE) on highly privileged management servers, administrative account takeover through authentication bypass, and internal network reconnaissance via SSRF.

How can organizations protect themselves from these active threats?
Immediate patching to the latest vendor-supplied versions is essential. Organizations should also employ threat intelligence to monitor for signs of exploitation and harden the configuration of management consoles.