Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability list is as follows - CVE-2021-22054 (CVSS score: 7.5) - A server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that
The addition of CVE-2025-26399 comes in the wake of reports from Microsoft and Huntress that threat actors are exploiting security flaws in SolarWinds Web Help Desk to obtain initial access.
The activity is believed to be the work of the Warlock ransomware crew.
CVE-2021-22054, on the other hand, was flagged by GreyNoise in March 2025 as being exploited in conjunction with several other SSRF vulnerabilities in other products as part of a coordinated campaign.
There are currently no details on how CVE-2026-1603 is being weaponized in the wild, although Defused Cyber noted in a post on X last month that it's seeing active exploitation efforts targeting the flaw.
The attack originated from the IP address 103.69.224[.]98 .