CISA shortens patch deadline for critical Ivanti, SolarWinds bugs

Steven

CISA shortens patch deadline for critical Ivanti, SolarWinds bugs

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has shortened patching deadlines for multiple actively exploited vulnerabilities, including CVE-2025-26399 in SolarWinds Web Help Desk and CVE-2026-1603 in an Ivanti product. Federal civilian agencies were ordered to patch the SolarWinds flaw by Thursday; two other bugs were added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue with two-week deadlines. The SolarWinds issue is the third fix tied to an earlier deserialization vulnerability, and defenders have reported exploitation. Ivanti flaws have reportedly been targeted by attackers — including nation-state actors — through 2025 and into February 2026.

Key Points

  • CISA gave federal civilian agencies an accelerated deadline to patch CVE-2025-26399 affecting SolarWinds Web Help Desk (deadline: Thursday).
  • CVE-2025-26399 is a third iteration of fixes for a deserialization bug first traced back to 2024 and is observed being exploited in the wild.
  • This is the third urgent SolarWinds Web Help Desk patch order in a month; previous orders had four-day and three-day windows.
  • CISA added two more vulnerabilities to its KEV catalogue with two-week patching requirements; most KEV entries usually allow three weeks.
  • One of the added bugs, CVE-2026-1603, affects an Ivanti product and has reportedly been exploited since mid-February.
  • Security research and a Google report indicate Ivanti was repeatedly targeted by Chinese nation-state actors through 2025 with novel zero-days.
  • Shortened KEV deadlines are a strong indicator of active exploitation and elevated risk to agencies and organisations using the affected products.

Content summary

CISA has issued unusually short patching deadlines after reports that multiple vulnerabilities are being actively exploited. The immediate SolarWinds Web Help Desk patch order concerns CVE-2025-26399, the third fix tied to an ongoing deserialization weakness. Previously this month CISA pushed fast patch windows for other SolarWinds flaws. In addition, two more vulnerabilities were added to CISA’s Known Exploited Vulnerabilities list with two-week remediation requirements; one is an Ivanti flaw (CVE-2026-1603) that defenders say has been exploited since February. The moves reflect mounting concern over exploitation by both cybercriminals and nation-state actors, and follow earlier reporting that Ivanti products were repeatedly targeted in 2025.

Context and relevance

Shortened KEV deadlines are reserved for high-risk vulnerabilities with confirmed exploitation; CISA’s actions signal an elevated immediate threat. SolarWinds’ Web Help Desk is widely used across federal agencies, and SolarWinds’ history as a supply-chain target raises the stakes. Ivanti’s tools have been a focus for sophisticated threat actors, making timely patching critical for organisations that use these products. For security teams and IT leaders, this is part of a broader trend: nation-state and criminal actors continue to exploit enterprise IT management tools and software supply chains, prompting urgent incident response and patch management activity.

Why should I read this?

Short version: if you or your organisation runs SolarWinds Web Help Desk or Ivanti products — stop what you’re doing and check your patch status. CISA’s rushed deadlines mean attackers are active now, and delays could lead to breaches. If you’re responsible for patching, triage these before less urgent updates.

Author’s take

Punchy and direct: this isn’t routine patching theatre. Multiple rapid, shortened deadlines from CISA mean the bugs are being weaponised. For defenders this should jump to the top of the to-do list — treat these as de facto zero-day emergencies until proven otherwise.

Source

Source: https://therecord.media/cisa-shortens-patch-deadline-ivanti-solarwinds