CISA shortens patch deadline for critical Ivanti, SolarWinds bugs

Federal agencies will have significantly less time than usual to patch three different vulnerabilities following reports that they are being exploited by cybercriminals and nation-state actors. 

The Cybersecurity and Infrastructure Security Agency (CISA) gave all federal civilian agencies until Thursday to patch CVE-2025-26399 — a critical vulnerability impacting the popular SolarWinds Web Help Desk, an IT service management platform used by many government agencies to handle ticketing, asset tracking and other tasks. The tool is used to centralize IT support operations.

The bug was discovered by Trend Micro’s Zero Day Initiative in September and researchers have warned since then that it is being exploited. 

Several cybersecurity experts said the issue can be traced back to a vulnerability discovered in 2024. CVE-2025-26399 is the third fix for that bug. 

“In its third iteration of patching, only time will tell whether or not this flaw is in attackers' crosshairs and will see exploitation,” Scott Caveza, senior staff research engineer at Tenable, said in September. 

This is the third time in the last month that CISA has ordered all federal civilian agencies to immediately patch a vulnerability affecting the SolarWinds Web Help Desk tool. 

In early February, CISA gave federal agencies only four days to patch another vulnerability affecting it. Two weeks later, federal agencies were given a three-day deadline to patch another bug in the software. 

SolarWinds software is used by dozens of federal agencies and was previously targeted by Russian hackers as part of one of the largest nation-state attacks in U.S. history. 

In addition to CVE-2025-26399, CISA added two other vulnerabilities to its catalog of exploited bugs on Monday — both of which have to be patched by federal agencies within two weeks. Nearly all of the vulnerabilities added to the Known Exploited Vulnerabilities catalog are given a three-week patch deadline and the date has only been shortened in rare circumstances.

One of the bugs — CVE-2026-1603 affecting a product from IT company Ivanti — has allegedly been exploited since the middle of February, according to cybersecurity defenders. A Google report on zero-day vulnerabilities found Chinese nation-state attackers repeatedly targeted Ivanti throughout 2025 with novel bugs used to breach Ivanti tools.