Attack warning for Ivanti Endpoint Manager, SolarWinds Web Help Desk and more

Currently, criminals are attacking security vulnerabilities on the internet in Ivantis Endpoint Manager, SolarWinds Web Help Desk, and Omnissa (formerly VMware) Workspace ONE. The US IT security authority CISA is currently warning about this.

In its statement, CISA names only the attacked vulnerabilities and product names. As usual, the US authority does not provide information on the type and scope of the attacks.

Attacked Security Leaks

The latest vulnerability affects Ivantis Endpoint Manager (EPM) 2024. Attackers can bypass authentication without prior login and obtain special stored credentials – however, Ivanti does not specify the concrete effects, such as whether instances can be completely taken over. However, the severity points in this direction (CVE-2026-1603, CVSS 8.6, risk “high”). With the security updates from February, which bring Ivantis EPM up to version 2024 SU5, the manufacturer closes the security vulnerability.

A critical security vulnerability in SolarWinds Web Help Desk became known in September last year; it affects the Ajax component. This deserializes inputs without prior authentication, thus allowing code injection from the network (CVE-2025-26399, CVSS 9.8, risk “critical”). First attacks on the vulnerability became known in February [Link auf Beitrag 5024903]. Now CISA is warning of current abuse cases – IT managers have still apparently not applied the available update (at the time of reporting, SolarWinds WHD 2026.1).

The last vulnerability for which CISA has currently observed attacks impacts Omnissa (formerly VMware) Workspace ONE. Malicious actors can exploit a Server-Side Request Forgery vulnerability (SSRF) and thus gain unauthorized access to sensitive information (CVE-2021-22054, CVSS 7.5, risk “high”). Updates have been available since the end of 2021 to patch the security vulnerability.

IT managers should check if the vulnerable software is running in their organizations and apply the available updates promptly. However, since no details about the attacks are available, there are also no indications of successful attacks (Indicators of Compromise, IOC) with which admins could check their systems.

(dmk)