THE U.S.
Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2021-22054, a Server-Side Request Forgery in VMware Workspace ONE UEM, CVSS score 7.5, which could let attackers access internal resources by sending unauthenticated requests; CVE-2025-26399, SolarWinds Web Help Desk Deserialization of
Untrusted Data Vulnerability, with a CVSS score of 9.8, for which SolarWinds released hot fixes in September 2025 to address the flaw enabling arbitrary command execution on susceptible systems; and CVE-2026-1603, Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability, CVSS 8.6, which in February patches fixed and allows a remote unauthenticated attacker to access
stored credentials. The update comes with guidance that agencies address these under Binding Operational Directive (BOD) 22-01, with CISA ordering federal agencies to fix CVE-2026-1603 and CVE-2021-22054 by 23 March 2026 and the SolarWinds flaw CVE-2025-26399 by 12 March 2026. Experts also advise organisations to review the KEV catalog and remediate accordingly.