3 New Actively Exploited Flaws to Patch

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday that three new vulnerabilities have been added to its Known Exploited Vulnerabilities (KEV) catalog, confirming that threat actors are actively exploiting these flaws in the wild. The inclusion in the KEV list signals that the agency has concrete evidence of ongoing attacks and urges immediate remediation.

The first vulnerability affects VMware Workspace ONE UEM (formerly Omnisa Workspace ONE UEM), allowing an attacker with network access to send unauthenticated requests to the UEM module and harvest information. The second flaw is a deserialization issue in the Ajax proxy component of SolarWinds Help Desk, which can be leveraged to execute arbitrary commands on the host system. The third vulnerability involves an alternate‑path channel bypass in Ivanti Endpoint Manager, enabling an unauthenticated remote actor to exfiltrate stored credential data.

CISA’s statement underscores that these weaknesses are not theoretical; they have been observed in active campaigns targeting enterprises worldwide. By naming the specific products and attack vectors, the agency provides clear indicators for defenders to prioritize detection and mitigation efforts.

For organizations that deploy any of these solutions, the directive is unequivocal: apply vendor patches immediately, verify that mitigation controls are in place, and monitor for signs of exploitation. Failure to act could result in data breaches, credential theft, and broader operational disruption.