好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,并且不需要特定的开头。首先,我得仔细阅读文章内容,理解主要信息。 文章主要讲的是美国网络安全和基础设施安全局(CISA)将三个漏洞加入到已知被利用的漏洞目录中。这三个漏洞分别来自Ivanti EPM、SolarWinds和Omnissa Workspace One。每个漏洞都有CVE编号和CVSS评分,分别涉及认证绕过、反序列化和SSRF问题。 接下来,我需要提取关键点:CISA新增了三个漏洞到KEV目录,这些漏洞来自哪些公司,每个漏洞的类型以及影响。然后,我还要注意截止日期,联邦机构需要在特定日期前修复这些漏洞。 现在,我要把这些信息浓缩成100字以内的中文摘要。要确保涵盖CISA的动作、新增的漏洞及其影响,以及修复的截止日期。 可能的结构是:开头说明CISA新增了三个高危漏洞到目录中,然后分别简述每个漏洞的影响和类型,最后提到修复的截止日期。 这样就能在有限的字数内传达所有重要信息了。 </think> 美国网络安全机构CISA将Ivanti EPM、SolarWinds和Omnissa Workspace One三个高危漏洞加入已知被利用漏洞目录。这些漏洞包括认证绕过、反序列化及SSRF攻击风险,可能被用于窃取敏感信息或远程控制系统。联邦机构需在指定日期前修复这些漏洞以防范攻击。 2026-3-10 09:52:14 Author: securityaffairs.com(查看原文) 阅读量:8 收藏
U.S. CISA adds Ivanti EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Rockwell, and Hikvision flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2021-22054 (CVSS score of 7.5) Omnissa Workspace ONE Server-Side Request Forgery
- CVE-2025-26399 (CVSS score: 9.8) SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
- CVE-2026-1603 (CVSS score of 8.6) Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
The first vulnerability added to the catalog is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2021-22054, in VMware Workspace ONE UEM console. The vulnerability allows attackers with network access to send unauthenticated requests. By exploiting the vulnerability, a malicious actor could access internal resources and potentially expose sensitive information.
The second flaw added to the catalog is a deserialization of untrusted data vulnerability tracked as CVE-2025-26399. In September 2025, SolarWinds released hot fixes to address this critical flaw. An attacker could exploit the flaw to execute arbitrary commands on susceptible systems.
Deserialization of Untrusted Data is a high-severity vulnerability where an application reconstructs objects from data received from untrusted sources, without verifying integrity or validity. Attackers can craft malicious serialized objects that, when deserialized, abuse the logic of the application to execute code, access sensitive data, escalate privileges, or manipulate system processes.
The last issue added to the KeV catalog is an Ivanti Endpoint Manager (EPM) authentication bypass vulnerability tracked as CVE-2026-1603.
In February, Ivanti released patches for more than a dozen vulnerabilities in Endpoint Manager, including flaws disclosed in October 2025. The update addresses the flaw CVE-2026-1603 that attackers could exploit remotely without credentials to access and steal sensitive login information.
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities CVE-2026-1603 and CVE-2021-22054 by March 23, 2026. The US Agency orders federal agencies to fix the SolarWinds flaw CVE-2025-26399 by March 12, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh