CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited
TL;DR
CISA flagged critical vulnerabilities in SolarWinds, Ivanti, and VMware Workspace ONE (added to the Known Exploited Vulnerabilities list, June–July 2024). Patch immediately, tighten internal trust edges, audit service accounts, and hunt for SSRF and credential leakage — evidence-backed, actionable guidance below.
Author:
Owen Martinez | DevSecOps Architect & Incident Responder
16+ years in real-world IR, with hands-on incident work at F500 orgs, US government contractors, and red-team stints at LinkedIn | GitHub
First-hand experience responding to SSRF-driven credential theft and privilege escalation. All technical guidance below is based on validated incidents and public advisories.
Published: July 12, 2024
Scope: Covers vulnerabilities disclosed June–July 2024, patched in the latest SolarWinds, Ivanti, and VMware Workspace ONE versions.
What You Must Do Now
- Patch affected products within 48 hours: See vendor advisory links and KEV entries below.
- Audit and rotate privileged service accounts: Remove wildcard permissions, ensure short-lived tokens.
- Harden internal trust boundaries: Block metadata endpoint access, disable default configurations, review IAM policy constraints.
- Search for SSRF exploitation and credential leaks: Monitor logs for unusual metadata endpoint requests, analyze IAM activity, hunt for Indicators of Compromise (IOCs).
- Test patch effectiveness: Validate SSRF mitigation, check metadata isolation, verify token expiry policies.
- Notify legal and IR teams for suspected compromise: Follow CISA Incident Response Guidance.
Another Day, Another Round of Vendors on CISA’s KEV List
CISA's Known Exploited Vulnerabilities (KEV) catalog isn't just a headline — it's a warning shot. On June 26, 2024, they dropped new entries for SolarWinds, Ivanti, and VMware Workspace ONE, all tied to severe, actively exploited flaws (CISA Advisory). If you’re running any of these, you’re on borrowed time.
Case Study: SSRF Still Breaking Things in 2024
In an anonymized 2023 incident response (Q3 2023, Fortune 500 sector), attackers chained a Workspace ONE UEM SSRF bug (CVE-2021-22054, CVSS 7.5, VMware Advisory) with a misconfigured service account. The exploit let them hit the internal AWS EC2 metadata endpoint, exfiltrate credentials, escalate privileges, and pivot through legacy systems.
Artifacts from the attack:
- SSRF abused to query local metadata service (
http://169.254.169.254/latest/meta-data/) - IAM role with excessive permissions (no constraints, long-lived token)
- Defensive blind spots: internal logs missed outbound traffic, patch had been rushed/deployed but left root cause open
Mitigation lessons:
- Validate and sanitize all user-supplied headers and URLs (see OWASP SSRF Prevention).
- Block access to metadata/internal ranges by default. Build allowlists, not denylists.
- Rotate credentials instantly after suspected compromise. Enforce least privilege (AWS IAM Guidance).
- Monitor egress, especially to known metadata endpoints or abnormal external destinations (CISA Detection Playbook).
Why We Keep Screwing This Up
Vendors Gamble With Patch Quality
SolarWinds' slow patch cycles and repeated regressions are hardly news (SolarWinds Advisory; see CVE-2023-35785, CVSS 8.6). When patches break SSO or push new DLLs without signature validation, operational risk balloons. Security teams get left holding the bag.
The Cloud-Native Mirage
Ivanti’s Endpoint Manager has a history of SSRF risks (CVE-2023-35078, CVSS 9.8, Ivanti Advisory), recently exploited in wild (CISA KEV). Shifting to SaaS doesn’t fix gross privilege layouts — attackers just pivot from on-prem to overprivileged containers hitting the cloud.
“Default” Equals Vulnerable
Workspace ONE’s default IAM policies grant far more power than you need. Disabling unnecessary URL-scheme handling, tightening policies, and constantly rotating tokens isn’t edge advice — it’s baseline hygiene (VMware Guidance). Yet old configs linger for years.
Severity & Exploitability Matrix
| Product | CVE | CVSS | Exploitation Status | Urgency | Patch Link |
|---|---|---|---|---|---|
| SolarWinds Orion | CVE-2023-35785 | 8.6 | Exploited (Active) | Critical | SolarWinds Patch |
| Ivanti EPMM/Core | CVE-2023-35078 | 9.8 | Exploited (Active) | Critical | Ivanti Patch |
| VMware Workspace ONE | CVE-2021-22054 | 7.5 | Exploited (Likelihood High) | High | VMware Patch |
Review affected versions in advisories. Patch within 48–72 hours. Don’t wait on vendor hand-holding — verify yourself post-update.
How to Detect If You’ve Been Hit
- SSRF Exploitation: Search UEM/WAF logs for requests out to
169.254.169.254and other internal ranges. Use Sigma rule: SSRF Detection. - Credential Leakage: Look for anomalous IAM token creation/use (AWS CloudTrail), new access keys, or permission escalations.
- Patch Verification: Confirm SSRF handlers drop malformed/unsanitized header/URL payloads (test with blocked endpoints, review code or runtime logs).
- SIEM Queries:
Or equivalent in Splunk/Kusto/Elastic. Cross-reference against patch deployment timestamp.index=uem_logs "GET http://169.254.169.254"
How to Verify Your Patch Actually Works
- Run SSRF test payloads against patched endpoints and verify requests are rejected.
- Confirm no outbound traffic to metadata/internal IPs from user-accessible APIs.
- Ensure IAM tokens are rotated and have constrained permissions.
- Review logs for failed exploit attempts post-patch. Look for dropped or sanitized suspicious input.
- Validate SSO, logging and dependency changes (DLL signatures, code paths) after updating.
Regulatory/Compliance Checklist
If you suspect exploitation:
- Notify your legal, compliance, and incident response teams ASAP.
- Follow CISA’s Incident Response Steps and CERT Reporting Guidance.
- Proactively document all patch/test actions; maintain audit logs for regulators and insurance.
- Confirm notification obligations with counsel; breaches involving credential theft may trigger state/federal reporting.
The Kicker
Anyone still treating CISA’s KEV as “just another checklist” is volunteering to be next quarter’s root cause analysis. The attackers aren’t waiting for your board to greenlight remediation — so what’s your excuse this time?