The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that an authentication bypass vulnerability patched in Ivanti Endpoint Manager (EPM) last month is now being exploited in the wild. The agency has also updated its directive related to two Cisco Catalyst SD-WAN flaws that were also fixed last month after being used in zero-day attacks.
The Ivanti EPM vulnerability, tracked as CVE-2026-1603, impacts EPM versions prior to 2024 SU5. It allows a remote, unauthenticated attacker to leak stored credential data and was patched on Feb. 9 along with another EPM SQL injection flaw tracked as CVE-2026-1602.
At the time, Ivanti credited a researcher working with Trend Micro’s Zero Day Initiative program for reporting the vulnerabilities and said that it was not aware of customers being exploited by those vulnerabilities.
That situation appears to have changed with CISA adding CVE-2026-1603 to its Known Exploited Vulnerabilities (KEV) catalog this week along with two others: a remote code execution flaw in the SolarWinds Web Help Desk (CVE-2025-26399) and a server-side request forgery (SSRF) issue in VMware Workspace ONE UEM (Unified Endpoint Management), now part of Omnissa (CVE-2021-22054).
While the SolarWinds Web Help Desk flaw was patched in September last year, it’s worth noting that it was a bypass to an older Java deserialization flaw, CVE-2024-28986, that was exploited in the wild soon after being patched. Because of this, researchers warned that CVE-2025-26399 will likely follow a similar path, something that CISA has now confirmed.
SolarWinds WHD is a product that has been targeted before, including this year in January via two zero-day vulnerabilities.
Also this week, CISA updated its emergency directive related to CVE-2026-20127 and CVE-2022-20775 — an authentication bypass flaw and a privilege escalation issue in Cisco SD-WAN Controller and software. Cybersecurity agencies from the Five Eyes alliance issued a joint advisory about CVE-2026-20127 last month after the flaw was identified in active attacks.
What makes it worse is that there were signs the vulnerability had been exploited since 2023, so the attacks managed to fly under the radar for almost 3 years.
CISA issued a directive to federal government agencies to identify impacted systems on their networks, patch the flaws, and hunt for compromises. The updated version of the directive issued this week adds requirements regarding reporting and actions. Specifically, federal agencies must submit collected logs from SD-WAN deployments to CISA by March 26.