Lyrie
active-exploitation
ACTIVELY EXPLOITED3 sources verified·4 min read
By Lyrie Threat Intelligence·3/9/2026

What happened

CISA added CVE-2021-22054 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-03-09, signaling active exploitation in the wild CISA KEV. The flaw is a server-side request forgery (SSRF) in Omnissa Workspace ONE UEM (formerly VMware Workspace ONE UEM), allowing an actor with network access to the UEM service to send unauthenticated requests via the server NVD CVE-2021-22054. CISA sets a remediation due date of 2026-03-23 and directs organizations to apply vendor mitigations or discontinue the product if no fix is available CISA KEV.

The CVE is classified under CWE-918 (SSRF), a class where the server is tricked into initiating unintended network requests on behalf of an attacker NVD CVE-2021-22054. The MITRE CVE record corroborates the product and vulnerability metadata for tracking and inventory alignment MITRE CVE-2021-22054.

Why it matters

KEV inclusion means exploitation is observed or reliably reported, which elevates this from theoretical risk to an immediate operations priority CISA KEV. SSRF can turn a single exposed service into a pivot, because the vulnerable server will make attacker-chosen requests to internal or external resources it can reach NVD CVE-2021-22054. In a UEM context, an SSRF path could expose sensitive management data if reachable endpoints respond to proxied requests from the UEM server MITRE CVE-2021-22054.

CISA’s required action—apply vendor guidance or discontinue if unmitigable, with an explicit remediation deadline—indicates federal urgency and expected operator response CISA KEV. That urgency is justified: SSRF frequently bypasses perimeter ACLs by abusing trusted server egress, shrinking detection windows when attackers operate through legitimate infrastructure NVD CVE-2021-22054.

Technical detail

CVE-2021-22054 is an SSRF in Omnissa Workspace ONE UEM that can be triggered by an attacker with network access to the UEM service endpoint NVD CVE-2021-22054. The vulnerability permits sending requests “without authentication,” implying the SSRF vector is reachable pre-auth and forwards attacker-controlled URLs through the server MITRE CVE-2021-22054. Per KEV, this flaw is exploited in the wild and requires prompt mitigation per vendor instructions or product discontinuation where fixes are unavailable CISA KEV.

By class, CWE-918 SSRF occurs when server-side logic fetches remote resources using attacker-influenced URLs or hosts, effectively turning the application into a blind or semi-blind proxy NVD CVE-2021-22054. Consequences commonly include access to internal-only services, metadata endpoints, or admin interfaces reachable from the vulnerable host’s network, depending on routing and ACLs NVD CVE-2021-22054. In this CVE, the impact is described as access to sensitive information via the UEM’s server-initiated requests, which aligns with typical SSRF outcomes MITRE CVE-2021-22054.

From a detection standpoint, SSRF often manifests as the application server making HTTP(S) requests to attacker-specified destinations, including unexpected internal IP ranges or services not normally contacted by UEM NVD CVE-2021-22054. This creates telemetry in outbound firewall logs, proxy logs, or application instrumentation when the UEM process egresses to atypical hosts NVD CVE-2021-22054.

Defense

  • Prioritize remediation per KEV: apply vendor mitigations immediately or discontinue use if no mitigation exists, meeting CISA’s 2026-03-23 due date CISA KEV.
  • Validate exposure and versioning against authoritative CVE records before and after patch cycles to ensure your instance is covered NVD CVE-2021-22054.
  • Architect for SSRF blast-radius reduction: restrict the UEM server’s egress to only necessary destinations to reduce reachable internal surfaces NVD CVE-2021-22054.
  • Instrument detection: alert on UEM-origin outbound connections to internal RFC1918 ranges or abnormal external hosts, since SSRF coerces server-initiated requests NVD CVE-2021-22054.
  • Track and report per CISA guidance (BOD 22-01 practices), using KEV entries to drive time-bound remediation SLAs in enterprise change windows CISA KEV.

Lyrie Verdict

SSRF turns trusted infrastructure into an attacker’s proxy, enabling machine-to-machine pivots at speeds humans won’t catch in time NVD CVE-2021-22054. Lyrie fingerprints normal egress and east-west patterns for management-plane services, then automatically flags and isolates servers that begin proxying arbitrary destinations consistent with SSRF behavior CISA KEV. For UEM specifically, our autonomous detections clamp outbound attempts to new internal subnets or metadata-like endpoints and enforce kill-switch policies without waiting for analyst triage MITRE CVE-2021-22054.

Lyrie Verdict

SSRF converts trusted servers into attacker-controlled proxies, enabling rapid machine-to-machine pivots that outpace human response [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-22054). Lyrie baselines management-plane egress and east-west flows, then auto-flags and isolates hosts that start proxying arbitrary destinations indicative of SSRF [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). For UEM, we automatically clamp outbound attempts to new internal subnets or metadata-style endpoints and enforce kill-switch policies without analyst delay [MITRE](https://cveawg.mitre.org/api/cve/CVE-2021-22054).

#omnissa#workspace-one-uem#cisa-kev#exploited-itw#CISA KEV#CVE-2021-22054#Omnissa#Workspace ONE UEM#SSRF#CWE-918

Validated sources

  1. [1]CISA Known Exploited Vulnerabilities Catalog
  2. [2]NVD entry
  3. [3]MITRE CVE record