What happened
The Cybersecurity and Infrastructure Security Agency (CISA) shortened patch deadlines for multiple actively exploited vulnerabilities affecting SolarWinds Web Help Desk and an Ivanti product after adding them to its Known Exploited Vulnerabilities (KEV) catalog. Federal civilian agencies were ordered to patch CVE-2025-26399, a critical vulnerability in SolarWinds Web Help Desk, by Thursday. The flaw, first discovered by Trend Micro’s Zero Day Initiative, has been repeatedly patched and is reportedly being exploited in the wild. CISA also added two additional vulnerabilities to the KEV list, including CVE-2026-1603 affecting an Ivanti product that defenders say has been exploited since mid-February. The agency typically provides agencies three weeks to apply patches but shortened the timeline in this case due to active exploitation risks.Â
Who is affected
Federal civilian agencies using SolarWinds Web Help Desk and Ivanti products are directly affected, as they must apply patches within the shortened deadlines mandated by CISA.Â
Why CISOs should care
The shortened deadlines signal heightened concern from CISA that the vulnerabilities may be actively targeted, particularly given previous cyber incidents involving SolarWinds software and repeated exploitation of Ivanti products by threat actors.Â
3 practical actions
- Apply patches for SolarWinds Web Help Desk immediately. Agencies were given a shortened deadline to remediate CVE-2025-26399.Â
- Update vulnerable Ivanti systems. Address CVE-2026-1603 and related vulnerabilities added to the KEV catalog.Â
- Review KEV catalog remediation timelines. Monitor CISA directives when patch deadlines are shortened due to active exploitation.
The patch directive comes as the U.S. cybersecurity leadership landscape evolves following the Senate confirmation of Joshua Rudd to lead the NSA and U.S. Cyber Command.