Changeflow GovPing Vulnerability Management VMware Workspace ONE UEM SSRF Vulnerability CVE...
Priority review Notice Added Final

VMware Workspace ONE UEM SSRF Vulnerability CVE-2021-22054

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Detected March 13th, 2026
Email

Summary

CISA has added VMware Workspace ONE UEM console versions to the Known Exploited Vulnerabilities (KEV) catalog due to an SSRF vulnerability (CVE-2021-22054). This vulnerability may allow a malicious actor to gain access to sensitive information.

View original document View source feed page

What changed

CISA has added specific versions of VMware Workspace ONE UEM console to its Known Exploited Vulnerabilities (KEV) catalog, identifying CVE-2021-22054 as a Server-Side Request Forgery (SSRF) vulnerability. The affected versions include 20.0.8 prior to .37, 20.11.0 prior to .40, 21.2.0 prior to .27, and 21.5.0 prior to .37. Successful exploitation allows a malicious actor with network access to send unauthenticated requests and potentially access sensitive information.

Organizations using the affected VMware Workspace ONE UEM console versions are strongly advised to review CISA's KEV catalog and the provided VMware security advisory. Prompt patching or mitigation is critical to prevent exploitation. Failure to address this vulnerability could lead to unauthorized access to sensitive data and further compromise of the IT environment.

What to do next

  1. Review CISA's Known Exploited Vulnerabilities (KEV) catalog for CVE-2021-22054.
  2. Apply necessary patches or mitigations to affected VMware Workspace ONE UEM console versions as per VMware's security advisory VMSA-2021-0029.
  3. Assess potential impact and implement additional security controls if patching is not immediately feasible.

Source document (simplified)

Required CVE Record Information

CNA: VMware by Broadcom

Description

VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected at VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37.

References 1 Total

CVE Program

Updated:

2024-08-03

This container includes required additional information provided by the CVE Program for this vulnerability.

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-11

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2021-12-20 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22054 (2026-03-09)

CWE 1 Total

Learn more
- CWE-918: CWE-918 Server-Side Request Forgery (SSRF)

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 7.5 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |

Related changes

Favicon for sam.gov SAM.gov Entity Exclusions Unavailable Due to Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Registration and Exclusions Unavailable
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Exclusions Unavailable During Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for wid.cert-bund.de CPython Vulnerabilities Allow Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de Vim Vulnerability Allows Code Execution (CVSS 6.6)
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de FreeRDP Vulnerabilities - Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Vulnerability Management
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various Federal Agencies
Compliance deadline
March 9th, 2026 (5 days ago)
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Geographic scope
National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Vulnerability Management Software Security

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Vulnerability Management alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.