Key Takeaway
CVE-2021-22054 is an unauthenticated server-side request forgery vulnerability in Omnissa Workspace ONE UEM that allows network-adjacent attackers to forge requests through the UEM server and access sensitive internal resources without credentials. CISA has added this CVE to its Known Exploited Vulnerabilities catalog with a federal patch deadline of March 23, 2026. Organizations should apply Omnissa patches immediately, restrict network access to UEM management interfaces, and hunt for signs of prior exploitation in UEM and network logs.
CVE-2021-22054: Unauthenticated SSRF in Omnissa Workspace ONE UEM Exposes Internal Networks
Affected Product: Omnissa Workspace ONE UEM (formerly VMware Workspace ONE UEM) Vulnerability Type: Server-Side Request Forgery (SSRF) Attack Vector: Network Authentication Required: None CISA KEV Patch Deadline: March 23, 2026
Vulnerability Details
CVE-2021-22054 is an unauthenticated server-side request forgery vulnerability in Omnissa Workspace ONE UEM. The flaw allows an attacker with network-level access to the UEM server to craft and submit forged HTTP requests without providing any credentials. The UEM server processes these requests on the attacker's behalf, potentially reaching internal systems that would otherwise be inaccessible from the attacker's network position.
SSRF vulnerabilities of this class are particularly dangerous in enterprise mobility management platforms because UEM servers occupy a privileged position in the network. They communicate with mobile device management backends, internal APIs, Active Directory or LDAP services, cloud infrastructure endpoints, and administrative consoles. An unauthenticated attacker who can reach the UEM's network interface gains the ability to use the server itself as a proxy to probe and interact with those internal resources.
The vulnerability requires no user interaction and no prior authentication, lowering the bar for exploitation. Any attacker with a network path to the UEM administration interface — whether through a misconfigured perimeter, a compromised network segment, or direct internal access — can attempt to exploit this flaw.
Real-World Impact
Exploitation of CVE-2021-22054 can produce several concrete outcomes:
Internal network reconnaissance: An attacker can use the vulnerable UEM instance to scan internal IP ranges and hostnames, mapping services that are not directly exposed externally. This provides targeting intelligence for follow-on attacks.
Sensitive data exfiltration: Forged requests can retrieve responses from internal services — configuration files, API tokens, cloud metadata endpoints (such as the AWS Instance Metadata Service at 169.254.169.254), or credentials stored in backend systems. Organizations running Workspace ONE UEM in cloud environments face elevated risk from metadata service abuse.
Lateral movement and pivot: Because Workspace ONE UEM maintains active connections to directory services, device management backends, and potentially cloud management planes, a successful SSRF exploit gives an attacker a pivot point into those systems without directly compromising any of them.
Compliance and regulatory exposure: UEM platforms manage endpoint configurations, certificates, and credentials across enterprise device fleets. Unauthorized access to the data these systems can reach may trigger breach notification obligations under HIPAA, PCI-DSS, or GDPR depending on what internal resources the forged requests touch.
CISA has added CVE-2021-22054 to its Known Exploited Vulnerabilities catalog and mandates that federal civilian executive branch agencies remediate this vulnerability by March 23, 2026. The KEV listing indicates the vulnerability has been exploited in the wild, not merely demonstrated in research environments.
Affected Versions
All Workspace ONE UEM deployments should be treated as potentially affected until the installed version is confirmed against Omnissa's official security advisory. Organizations that migrated from VMware Workspace ONE UEM branding to Omnissa following Broadcom's divestiture of the product line should verify patch status under the current vendor's advisory portal.
Patching and Mitigation Guidance
Primary action — Apply vendor patches immediately. Obtain the applicable update from Omnissa's security advisory for CVE-2021-22054 and deploy it across all Workspace ONE UEM instances. Prioritize internet-facing or perimeter-adjacent deployments first, then address internally hosted instances.
Network access restriction. If patching cannot be completed immediately, restrict network access to the UEM administration interfaces using firewall rules or network segmentation. Limit inbound access to known administrative source IPs only. Do not expose UEM management ports to the public internet.
Outbound connection monitoring. Configure monitoring on UEM servers to alert on outbound connections to unexpected internal IP ranges, cloud metadata service addresses (169.254.169.254, fd00:ec2::254), or internal hostnames the UEM server does not normally contact. Anomalous outbound traffic from the UEM host is a primary indicator of SSRF exploitation.
Log review. Audit UEM server logs for unauthenticated request patterns. Look for requests that do not carry valid session tokens, requests targeting internal RFC 1918 addresses, and requests to cloud metadata endpoints. Establish a baseline of normal UEM outbound connection behavior to make anomalies detectable.
Threat hunt for prior exploitation. Given the CISA KEV designation, assume this vulnerability may have been exploited in your environment before patching. Review historical network flow data and UEM logs for indicators consistent with SSRF abuse — particularly requests to internal services that originated from the UEM server process rather than expected administrative systems.
Contact Omnissa support if guidance specific to your UEM version or deployment architecture is needed.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.