The US cybersecurity agency CISA on Monday expanded its Known Exploited Vulnerabilities (KEV) catalog with another Ivanti bug, urging its immediate patching.
The issue, tracked as CVE-2026-1603 (CVSS score of 8.6), is a high-severity authentication bypass vulnerability in Ivanti Endpoint Manager that could be exploited to leak credential data.
Impacting all Endpoint Manager iterations before version 2024 SU5, the security defect was patched in early February, when Ivanti said it was not aware of its in-the-wild exploitation. The company has yet to update its advisory.
On Monday, CISA urged federal agencies to apply patches for CVE-2026-1603 within two weeks, which is one week faster than the typical three-week patching window mandated by Binding Operational Directive (BOD) 22-01.
The same pathing window applies to another vulnerability newly added to KEV, namely CVE-2021-22054 (CVSS score of 7.5), a high-severity server-side request forgery (SSRF) issue in Omnissa Workspace One UEM (formerly VMware Workspace One UEM).
Patched in December 2021, the issue could allow an attacker with network access to UEM to send unauthenticated requests and access sensitive data in the management console.
In March last year, GreyNoise warned of a surge in the exploitation of a dozen SSRF bugs in products from multiple vendors, including CVE-2021-22054.
On Monday, CISA added the Workspace One UEM flaw to the KEV catalog along with the Ivanti vulnerability and CVE-2025-26399 (CVSS score of 9.8), a remote code execution (RCE) flaw in SolarWinds Web Help Desk (WHD) patched in September 2025.
CVE-2025-26399 is a patch bypass for CVE-2024-28988, which was a patch bypass for CVE-2024-28986. Last month, Microsoft flagged it as potentially exploited in the wild in December 2025.
Now, CISA has confirmed CVE-2025-26399’s exploitation, as well as its severity, giving federal agencies only one week to identify and patch vulnerable WHD instances within their environments.
Related: CISA Warns of Exploited SolarWinds, Notepad++, Microsoft Vulnerabilities
Related: Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
Related: CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List
Related: Rockwell Vulnerability Allowing Remote ICS Hacking Exploited in Attacks
