Remediation deadlines for SolarWinds, Ivanti bugs expedited by CISA

The Cybersecurity and Infrastructure Security Agency has set shortened deadlines for remediating a trio of security flaws following active exploitation by state-backed threat actors and other cybercrime groups, reports The Record, a news site by cybersecurity firm Recorded Future.

Federal civilian executive branch agencies have been ordered to address the critical SolarWinds Help Desk platform bug, tracked as CVE-2025-26399, by Thursday. Such an issue, which was initially reported by Trend Micro's Zero Day Initiative in September, has been traced to a 2024 security weakness, making this the third patch attempt for the same underlying issue. CISA also urged patching of the Ivanti Endpoint Manager vulnerability, tracked as CVE-2026-1603, and another software defect within two weeks, rather than the three-week standard window.

Threat actors were noted to have weaponized the Ivanti EPM bug since mid-February. Such a development comes after FCEBs were sought by CISA to fix two SolarWinds vulnerabilities within a four- and three-day period last month.