Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

CISA warns of actively exploited Ivanti EPM and Cisco SD-WAN flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that an authentication bypass vulnerability patched in Ivanti Endpoint Manager (EPM) last month is now being exploited in the wild. The agency has also updated its directive related to two Cisco Catalyst SD-WAN flaws that were also fixed last month after being used in zero-day attacks.

The Ivanti EPM vulnerability, tracked as CVE-2026-1603, impacts EPM versions prior to 2024 SU5. It allows a remote, unauthenticated attacker to leak stored credential data and was patched on Feb. 9 along with another EPM SQL injection flaw tracked as CVE-2026-1602.

At the time, Ivanti credited a researcher working with Trend Micro’s Zero Day Initiative program for reporting the vulnerabilities and said that it was not aware of customers being exploited by those vulnerabilities.

That situation appears to have changed with CISA adding CVE-2026-1603 to its Known Exploited Vulnerabilities (KEV) catalog this week along with two others: a remote code execution flaw in the SolarWinds Web Help Desk (CVE-2025-26399) and a server-side request forgery (SSRF) issue in VMware Workspace ONE UEM (Unified Endpoint Management), now part of Omnissa (CVE-2021-22054).

While the SolarWinds Web Help Desk flaw was patched in September last year, it’s worth noting that it was a bypass to an older Java deserialization flaw, CVE-2024-28986, that was exploited in the wild soon after being patched. Because of this, researchers warned that CVE-2025-26399 will likely follow a similar path, something that CISA has now confirmed.

SolarWinds WHD is a product that has been targeted before, including this year in January via two zero-day vulnerabilities.

Also this week, CISA updated its emergency directive related to CVE-2026-20127 and CVE-2022-20775 — an authentication bypass flaw and a privilege escalation issue in Cisco SD-WAN Controller and software. Cybersecurity agencies from the Five Eyes alliance issued a joint advisory about CVE-2026-20127 last month after the flaw was identified in active attacks.

What makes it worse is that there were signs the vulnerability had been exploited since 2023, so the attacks managed to fly under the radar for almost 3 years.

CISA issued a directive to federal government agencies to identify impacted systems on their networks, patch the flaws, and hunt for compromises. The updated version of the directive issued this week adds requirements regarding reporting and actions. Specifically, federal agencies must submit collected logs from SD-WAN deployments to CISA by March 26.

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.