The U.S. cybersecurity and Infrastructure Security Agency (CISA) updated its public catalog of security vulnerabilities on Monday, adding three specific flaws due to evidence they are being actively exploited by malicious actors. The agency’s action serves as a formal warning to federal agencies and a critical advisory for all organizations to prioritize patching these issues.
Details of the Exploited Vulnerabilities
The newly listed entries in CISA’s Known Exploited Vulnerabilities (KEV) catalog cover products from SolarWinds, Ivanti, and Omnissa. Federal civilian executive branch agencies are now required to apply the available patches for these flaws by a specified deadline to secure their networks.
The first vulnerability, tracked as CVE-2021-22054, carries a CVSS severity score of 7.5. It is a server-side request forgery (SSRF) flaw in Omnissa Workspace One UEM, a unified endpoint management platform formerly known as VMware Workspace One UEM. This type of vulnerability could allow an attacker to send crafted requests from the server, potentially accessing internal systems.
The second flaw is identified as CVE-2017-1673, a remote code execution vulnerability in SolarWinds TFTP Server. This older issue, if left unpatched, could permit an attacker to execute arbitrary code on an affected system by sending a specially crafted packet.
The third entry is CVE-2021-22025, another SSRF vulnerability, this time affecting various versions of Ivanti Sentry, formerly known as MobileIron Sentry. This security gap, located in the authentication module, could be exploited to gain unauthorized access to sensitive resources.
Mandatory Patching Timeline for U.S. Agencies
In accordance with binding operational directive BOD 22-01, all federal civilian executive branch agencies must secure their systems against these vulnerabilities. CISA has set a remediation deadline of May 13, 2024, for these three specific flaws.
The KEV catalog functions as a living list of Common Vulnerabilities and Exposures (CVEs) that have reliable evidence of exploitation in the wild. While the directive legally binds U.S. federal agencies, CISA strongly urges all public and private sector organizations worldwide to review the catalog and prioritize patching the listed vulnerabilities to reduce exposure to cyber attacks.
Background and Broader Implications
CISA’s frequent updates to the KEV catalog highlight the persistent threat posed by known but unpatched software vulnerabilities. Cyber adversaries often scan for and target these weaknesses, knowing that many organizations are slow to apply security updates. The inclusion of these three flaws indicates that threat actors are currently leveraging them in real-world attacks.
The mention of SolarWinds is particularly notable, as the company was at the center of a massive supply chain attack discovered in late 2020. While this newly listed TFTP server flaw is unrelated to that historic Sunburst campaign, it underscores the ongoing scrutiny on the company’s software security.
Similarly, Ivanti products have been under intense focus in 2024 due to a series of critical vulnerabilities being exploited by nation-state and cybercriminal groups. The addition of another Ivanti Sentry flaw to the KEV catalog reinforces the need for vigilant patch management among its user base.
Next Steps and Recommendations
Organizations using the affected versions of Omnissa Workspace One UEM, SolarWinds TFTP Server, or Ivanti Sentry should immediately consult the respective security advisories from the vendors and apply the necessary patches or mitigation steps. System administrators are advised to inventory their networks for these products and prioritize remediation based on CISA’s guidance.
Looking ahead, cybersecurity experts anticipate that CISA will continue to add more vulnerabilities to the KEV catalog as evidence of active exploitation emerges. The agency’s public listing serves as a critical early warning system, and organizations are expected to integrate monitoring of the catalog into their standard vulnerability management processes to keep pace with the evolving threat landscape.
Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
