Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability list is as follows - CVE-2021-22054 (CVSS score: 7.5) - A server-side request forgery (SSRF) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that
Analysis Summary
Based on the provided article and current threat intelligence, here is the summary of the identified vulnerabilities, with a primary focus on the Omnissa/VMware flaw highlighted in the context.
# Vulnerability: Active Exploitation of Workspace One UEM, SolarWinds, and Ivanti
## CVE Details
- **CVE ID:** CVE-2021-22054
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-918 (Server-Side Request Forgery)
*(Note: The article also mentions CVE-2025-26399 [CVSS 9.8] and CVE-2026-1603 [CVSS 8.6])*
## Affected Systems
- **Products:** Omnissa Workspace One UEM (formerly VMware Workspace One UEM)
- **Versions:** Multiple legacy versions are affected. (Historically: 2105, 2102, 2011, and 2008).
- **Configurations:** Systems where the UEM console is reachable via the network/internet.
## Vulnerability Description
CVE-2021-22054 is a Server-Side Request Forgery (SSRF) vulnerability. It exists in the way Workspace One UEM handles certain network requests. A malicious actor with network access to the UEM environment can send specially crafted requests, causing the server to make unauthorized backend requests. This can be used to bypass perimeter security and gain access to sensitive information typically restricted to the internal network.
## Exploitation
- **Status:** **Exploited in the wild.** Added to CISA KEV catalog in March 2026. GreyNoise reported over 400 IPs targeting this flaw as part of a coordinated campaign.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential to leak sensitive internal data and credentials).
- **Integrity:** Medium (Depends on the internal services reachable via SSRF).
- **Availability:** Low (Primary impact is data exposure).
## Remediation
### Patches
- **Omnissa/VMware:** Organizations should upgrade to the latest supported version of Workspace One UEM that contains the fix. (Refer to VMware/Omnissa security advisories for specific version-jump paths).
- **Federal Requirement:** CISA has mandated FCEB agencies apply fixes by **March 23, 2026**.
### Workarounds
- **Network Segmentation:** Restrict the UEM console's ability to communicate with unintended internal resources.
- **IP Allow-listing:** Limit access to the UEM management console to trusted administrative IP ranges.
## Detection
- **Indicators of Compromise:** Look for unusual outbound HTTP/S requests originating from the UEM server to internal non-public metadata services or internal management ports.
- **Detection methods and tools:**
- Review GreyNoise "SSRF Campaign" tags for associated malicious IP addresses.
- Monitor web server logs for high volumes of requests to `/catalog/` or `/airwatch/` endpoints from unknown external IPs.
## References
- **CISA KEV Catalog:** hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- **Vendor Advisory:** hxxps[://]blogs.vmware.com/security/2022/04/workspace-one-uem-ssrf-cve-2021-22054-patch-alert.html
- **Ivanti Advisory:** hxxps[://]hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024
- **GreyNoise Research:** hxxps[://]thehackernews.com/2025/03/over-400-ips-exploiting-multiple-ssrf.html