US cyber agency warns of exploitation of 3 vulnerabilities, including SolarWinds and Ivanti bugs

This vulnerability was originally disclosed on 23 September 2025, with SolarWinds noting at the time that exploitation of the flaw could lead to remote code execution on host machines. This is a patch bypass of CVE-2024-28988, which is itself a patch bypass of CVE-2024-28986.

Security researchers at Huntress spotted exploitation of this vulnerability last month.

“Huntress has observed threat actors exploiting SolarWinds Web Help Desk vulnerability across three customers; organisations should apply the update from SolarWinds’ website as soon as possible,” Huntress said in a 9 February blog post.

The issue has been resolved in SolarWinds Web Help Desk 12.8.7 HF1.

CVE-2026-1603 is an authentication bypass bug in Ivanti Endpoint Manager with a CVSS score of 8.6, making it a high-severity vulnerability. This was first reported last month, in February, and impacts versions before 2024 SU5.

“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure,” Ivanti said, though CISA obviously knows otherwise.

VIEW ALL

Both of the vulnerabilities above were disclosed as part of the Trend Micro Zero Day Initiative.

Finally, CVE-2021-22054 is a server-side request forgery vulnerability impacting the following versions of VMware Workspace ONE UEM console: 20.0.8 prior to 20.0.8.37; 20.11.0 prior to 20.11.0.40; 21.2.0 prior to 21.2.0.27; and 21.5.0 prior to 21.5.0.37.

This is an older vulnerability, dating back to December 2021 – old enough that the link to VMWare’s original advisory now returns a “Page not found” error. According to the CVE entry, this flaw could allow a malicious actor with network access to send requests without authentication and to gain access to sensitive information.