CVE-2021-22054 Omnissa CVE debrief

Who should care

Security, platform, and application teams responsible for Omnissa Workspace ONE UEM deployments; cloud-service operators; and incident responders tracking CISA KEV items.

Technical summary

The supplied source item identifies CVE-2021-22054 as an SSRF affecting Omnissa Workspace ONE UEM. CISA’s KEV entry directs defenders to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The corpus does not provide a CVSS score or further technical breakdown, so this debrief is limited to the KEV designation and remediation guidance.

Defensive priority

Urgent

Recommended defensive actions

• Confirm whether Omnissa Workspace ONE UEM is deployed in your environment and map all affected instances.
• Apply vendor-provided mitigations and validate that they are in place.
• If the service is cloud-based where applicable, follow CISA BOD 22-01 guidance.
• If mitigations are unavailable or cannot be validated, discontinue use of the product or remove exposure as directed by CISA.
• Track remediation against the KEV due date in the supplied corpus: 2026-03-23.

Evidence notes

The source corpus contains a CISA KEV machine-readable entry for CVE-2021-22054 with vendorProject=Omnissa, product=Workspace One UEM, vulnerabilityName=Omnissa Workspace ONE Server-Side Request Forgery, dateAdded=2026-03-09, dueDate=2026-03-23, and requiredAction text pointing to vendor mitigations, BOD 22-01 guidance for cloud services, or discontinuation if mitigations are unavailable. The metadata also references an archived VMware security advisory and the NVD detail page, but the corpus does not include a CVSS score or additional exploit details.

Official resources