{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreidbcumc65obaflv7e2i4hd342iavmi5xdwmlekunhyybibd3zuzdq",
"uri": "at://did:plc:rrwxywdlrz5fkwj5g4u4jnrk/app.bsky.feed.post/3mgv4sja7s3w2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreigf7rki5k6vrnfoxbugrryfhjavla2szsbuecvpypzelywhtw2cuu"
},
"mimeType": "image/jpeg",
"size": 7215010
},
"path": "/article/4143992/cisa-warns-of-actively-exploited-ivanti-epm-and-cisco-sd-wan-flaws.html",
"publishedAt": "2026-03-11T22:46:04.000Z",
"site": "https://www.csoonline.com",
"tags": [
"Cyberattacks, Security, Vulnerabilities",
"CVE-2026-1603",
"CISA adding CVE-2026-1603 to its Known Exploited Vulnerabilities (KEV) catalog",
"patched in September last year",
"researchers warned that CVE-2025-26399 will likely follow a similar path",
"has been targeted before",
"CISA updated its emergency directive",
"CVE-2026-20127",
"after the flaw was identified in active attacks"
],
"textContent": "The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that an authentication bypass vulnerability patched in Ivanti Endpoint Manager (EPM) last month is now being exploited in the wild. The agency has also updated its directive related to two Cisco Catalyst SD-WAN flaws that were also fixed last month after being used in zero-day attacks.\n\nThe Ivanti EPM vulnerability, tracked as CVE-2026-1603, impacts EPM versions prior to 2024 SU5. It allows a remote, unauthenticated attacker to leak stored credential data and was patched on Feb. 9 along with another EPM SQL injection flaw tracked as CVE-2026-1602.\n\nAt the time, Ivanti credited a researcher working with Trend Micro’s Zero Day Initiative program for reporting the vulnerabilities and said that it was not aware of customers being exploited by those vulnerabilities.\n\nThat situation appears to have changed with CISA adding CVE-2026-1603 to its Known Exploited Vulnerabilities (KEV) catalog this week along with two others: a remote code execution flaw in the SolarWinds Web Help Desk (CVE-2025-26399) and a server-side request forgery (SSRF) issue in VMware Workspace ONE UEM (Unified Endpoint Management), now part of Omnissa (CVE-2021-22054).\n\nWhile the SolarWinds Web Help Desk flaw was patched in September last year, it’s worth noting that it was a bypass to an older Java deserialization flaw, CVE-2024-28986, that was exploited in the wild soon after being patched. Because of this, researchers warned that CVE-2025-26399 will likely follow a similar path, something that CISA has now confirmed.\n\nSolarWinds WHD is a product that has been targeted before, including this year in January via two zero-day vulnerabilities.\n\nAlso this week, CISA updated its emergency directive related to CVE-2026-20127 and CVE-2022-20775 — an authentication bypass flaw and a privilege escalation issue in Cisco SD-WAN Controller and software. Cybersecurity agencies from the Five Eyes alliance issued a joint advisory about CVE-2026-20127 last month after the flaw was identified in active attacks.\n\nWhat makes it worse is that there were signs the vulnerability had been exploited since 2023, so the attacks managed to fly under the radar for almost 3 years.\n\nCISA issued a directive to federal government agencies to identify impacted systems on their networks, patch the flaws, and hunt for compromises. The updated version of the directive issued this week adds requirements regarding reporting and actions. Specifically, federal agencies must submit collected logs from SD-WAN deployments to CISA by March 26.",
"title": "CISA warns of actively exploited Ivanti EPM and Cisco SD-WAN flaws"
}