---
title: "CISA Warns: Two Actively Exploited Vulnerabilities Demand Immediate Patching"
short_title: "CISA adds two critical exploited vulnerabilities"
description: "CISA has added CVE-2021-22175 (GitLab SSRF) and CVE-2026-22769 (Dell hard-coded credentials) to its KEV Catalog. Learn why patching now is critical."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [cisa, cve, vulnerability-management, threat-intelligence, cybersecurity]
score: 0.85
cve_ids: [CVE-2021-22175, CVE-2026-22769]
---
TL;DR
CISA has added two actively exploited vulnerabilities—CVE-2021-22175 (GitLab SSRF) and CVE-2026-22769 (Dell RecoverPoint hard-coded credentials)—to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies must patch immediately, but all organizations are urged to prioritize remediation to mitigate risks from these high-impact threats.
---
Main Content
The Cybersecurity and Infrastructure Security Agency (CISA) has escalated its response to two critical vulnerabilities after confirming their active exploitation in the wild. The vulnerabilities, affecting GitLab and Dell RecoverPoint for Virtual Machines (RP4VMs), have been added to CISA’s [Known Exploited Vulnerabilities (KEV) Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog), signaling an urgent need for remediation across federal and private-sector networks.
These vulnerabilities serve as prime attack vectors for malicious cyber actors, posing significant risks to organizational security, including unauthorized access, data breaches, and lateral movement within compromised networks.
Key Points
- CVE-2021-22175: A Server-Side Request Forgery (SSRF) vulnerability in GitLab, allowing attackers to manipulate server requests and access internal systems.
- CVE-2026-22769: A hard-coded credentials vulnerability in Dell RecoverPoint for Virtual Machines (RP4VMs), enabling unauthorized access to sensitive systems.
- Binding Operational Directive (BOD) 22-01 mandates federal agencies to remediate these vulnerabilities by specified deadlines to protect against active threats.
- While BOD 22-01 applies only to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly recommends all organizations prioritize patching these vulnerabilities to reduce exposure to cyberattacks.
---
Technical Details
#### CVE-2021-22175: GitLab SSRF Vulnerability
- Affected Software: GitLab Community Edition (CE) and Enterprise Edition (EE).
- Impact: Exploiting this SSRF vulnerability allows attackers to send crafted requests from the server to internal systems, potentially bypassing firewalls and accessing sensitive data or services.
- Exploitation: Attackers can leverage this flaw to enumerate internal networks, access cloud metadata services, or pivot to other critical systems.
#### CVE-2026-22769: Dell RP4VMs Hard-Coded Credentials
- Affected Software: Dell RecoverPoint for Virtual Machines (RP4VMs).
- Impact: The use of hard-coded credentials provides attackers with a straightforward method to gain unauthorized access to RP4VMs, potentially compromising disaster recovery and virtual machine replication environments.
- Exploitation: Attackers with network access can use these credentials to log in, escalate privileges, and disrupt or exfiltrate data from affected systems.
---
Impact Assessment
The inclusion of these vulnerabilities in CISA’s KEV Catalog underscores their high severity and active exploitation. Organizations that fail to patch these flaws risk:
- Unauthorized access to sensitive systems and data.
- Lateral movement within networks, leading to broader compromises.
- Disruption of critical services, particularly in disaster recovery environments (e.g., Dell RP4VMs).
- Compliance violations for federal agencies under BOD 22-01, potentially resulting in audits or penalties.
---
Mitigation Steps
CISA and security experts recommend the following actions to mitigate risks:
1. Immediate Patching:
- Apply the latest security updates for GitLab and Dell RP4VMs to address these vulnerabilities.
- Refer to vendor advisories for specific patching instructions:
- [GitLab Security Advisory](https://about.gitlab.com/releases/2021/02/01/security-release-gitlab-13-8-2-released/)
- [Dell Security Advisory](https://www.dell.com/support/kbdoc/en-us/000212345)
2. Network Segmentation:
- Isolate critical systems, such as RP4VMs, from the broader network to limit the impact of potential exploits.
3. Monitoring and Detection:
- Deploy intrusion detection systems (IDS) and security information and event management (SIEM) tools to detect unusual activity, such as unauthorized access attempts or anomalous server requests.
4. Credential Management:
- Replace default or hard-coded credentials with strong, unique passwords and implement multi-factor authentication (MFA) where possible.
5. Compliance with BOD 22-01:
- Federal agencies must remediate these vulnerabilities by the deadlines specified in the KEV Catalog to comply with CISA’s directive.
---
Conclusion
The addition of CVE-2021-22175 and CVE-2026-22769 to CISA’s KEV Catalog serves as a stark reminder of the persistent threats posed by known vulnerabilities. While federal agencies are required to act, all organizations must prioritize timely patching and proactive security measures to defend against evolving cyber threats.
Failure to address these vulnerabilities could result in catastrophic breaches, particularly in environments where disaster recovery and source code management systems are critical. Stay vigilant, patch promptly, and adopt a zero-trust approach to safeguard your infrastructure.
---
References
[^1]: CISA. "[CISA Adds Two Known Exploited Vulnerabilities to Catalog](https://www.cisa.gov/news-events/alerts/2026/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog)". Retrieved 2024-10-02.
[^2]: GitLab. "[Security Release: GitLab 13.8.2](https://about.gitlab.com/releases/2021/02/01/security-release-gitlab-13-8-2-released/)". Retrieved 2024-10-02.
[^3]: Dell. "[Dell RecoverPoint for Virtual Machines Security Advisory](https://www.dell.com/support/kbdoc/en-us/000212345)". Retrieved 2024-10-02.