DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Ivanti: The Gift That Keeps on Giving (CVE-2026-1603)

Patrick Duggan
Mar 11
4 min read

# Three Vendors Walk Into a KEV Catalog

On March 9, 2026, CISA added three actively exploited vulnerabilities to the Known Exploited Vulnerabilities catalog in a single update:

- **CVE-2026-1603** — Ivanti Endpoint Manager authentication bypass (CVSS 8.6)

- **CVE-2025-26399** — SolarWinds Web Help Desk deserialization (CVSS 9.8)

- **CVE-2021-22054** — Omnissa Workspace One UEM server-side request forgery (CVSS 7.5)

One of those CVEs is from 2021. Five years old. Still being exploited. Still in production. Still nobody's problem until CISA made it a federal deadline.

But the star of this week's show is Ivanti. Again.

The Vulnerability

CVE-2026-1603 is an authentication bypass in Ivanti Endpoint Manager — the software that manages every device in your fleet. The flaw exists in the web-based management interfaces of EPM versions prior to 2024 SU5.

Here's what makes it special:

An attacker sends a crafted request to a reachable EPM core server. The server, due to inconsistent authentication enforcement across its APIs, treats the request as authenticated. No credentials needed. No user account. No local access. Just network reachability and a malformed header.

The server responds by handing over stored credential data. Domain-level accounts. Service credentials. The keys to every managed endpoint in your organization.

Defused Cyber documented active exploitation attempts originating from **103.69.224.98**. Ivanti says they're "not aware of any customers being exploited." Those two statements cannot both be true.

700 Sitting Ducks

Over 700 Ivanti EPM instances are internet-facing right now. Each one is an unauthenticated credential dispensary for anyone who knows the request format.

The patch — EPM 2024 SU5 — has been available since February 2026. The CISA federal deadline for remediation is March 23, 2026. That gives agencies 12 more days to patch a vulnerability that requires zero authentication to exploit.

Twelve days. No credentials required. Seven hundred exposed instances.

That math doesn't work.

Ivanti's Greatest Hits

If CVE-2026-1603 sounds familiar, it's because Ivanti Endpoint Manager has been on this stage before:

**2024**: CISA added three EPM vulnerabilities to the KEV catalog after confirming active exploitation. The pattern was the same — patch available, exploitation in the wild, federal agencies scrambling.

**December 2025**: Ivanti disclosed CVE-2025-10573, a CVSS 9.6 unauthenticated stored XSS that allowed admin session hijacking. Nine-point-six.

**Also December 2025**: Thirteen additional vulnerabilities disclosed in EPM — two high-severity RCE flaws and eleven SQL injection bugs. Thirteen. In one update.

**February 2026**: SU5 released to fix CVE-2026-1602 (SQL injection, 6.5) and CVE-2026-1603 (auth bypass, 8.6).

That's at least 19 disclosed vulnerabilities across 15 months, including multiple critical and high-severity bugs, multiple instances of active exploitation, and multiple CISA KEV additions.

At what point does the product become the vulnerability?

The SolarWinds Encore

CVE-2025-26399 deserves its own paragraph. SolarWinds Web Help Desk — the IT service management platform — has a deserialization flaw in its AjaxProxy component. CVSS 9.8. The Warlock ransomware crew is actively exploiting it. Microsoft and Huntress have both documented the threat actor activity.

SolarWinds. In 2026. Still getting popped through deserialization bugs.

The CISA deadline for this one is **March 12** — tomorrow. If you're running Web Help Desk and you haven't patched, Warlock already has your ticket system.

The Five-Year-Old Bug

CVE-2021-22054 is an SSRF vulnerability in Omnissa Workspace One UEM (formerly VMware). It was disclosed in 2021. CISA just added it to the KEV catalog in March 2026 because GreyNoise flagged it as part of a coordinated SSRF campaign.

Five years. The vulnerability is old enough to start kindergarten. And someone is still using it to punch through networks because organizations never patched.

This is why threat feeds exist. Not because the vulnerabilities are hard to find. Because organizations are slow to act and attackers are not.

What the STIX Feed Would Have Done

A DugganUSA STIX feed subscriber would have had:

**Within hours of the CISA KEV update:**

- CVE-2026-1603 mapped to Ivanti EPM with affected version ranges

- CVE-2025-26399 mapped to SolarWinds Web Help Desk with Warlock attribution

- CVE-2021-22054 flagged as actively exploited SSRF with GreyNoise correlation

- Exploitation IP **103.69.224.98** as an indicator of compromise

- MITRE ATT&CK mappings: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts — via stolen credentials)

**What you'd do with that data:**

If you're running OPNsense, Palo Alto, or any SIEM that ingests STIX/TAXII, you'd have:

1. Blocked 103.69.224.98 at the firewall before exploitation attempts reached your EPM instance

2. Triggered an asset inventory scan for Ivanti EPM versions below 2024 SU5

3. Escalated patching priority based on active exploitation confirmation — not just CVSS score

4. Cross-referenced your SolarWinds Web Help Desk version against the Warlock campaign IOCs

Instead, most teams will read about this on Friday. After the deadline passes. After Warlock has moved to the next target.

The IOCs

| Indicator | Type | Context |

|-----------|------|---------|

| CVE-2026-1603 | Vulnerability | Ivanti EPM auth bypass, CVSS 8.6 |

| CVE-2025-26399 | Vulnerability | SolarWinds WHD deserialization, CVSS 9.8 |

| CVE-2021-22054 | Vulnerability | Workspace One SSRF, CVSS 7.5 |

| 103.69.224.98 | IP Address | Active CVE-2026-1603 exploitation |

| Warlock | Threat Actor | Exploiting SolarWinds WHD |

| Ivanti EPM < 2024 SU5 | Vulnerable Software | Auth bypass, credential theft |

| SolarWinds WHD (unpatched) | Vulnerable Software | Deserialization RCE |

What To Do Right Now

1. **Ivanti EPM users**: Update to 2024 SU5 immediately. If you can't patch today, restrict core server access to internal admin networks. Rotate all high-privilege credentials, especially domain-level accounts.

2. **SolarWinds WHD users**: CISA deadline is tomorrow (March 12). Patch or isolate. The Warlock crew is already inside unpatched instances.

3. **Workspace One UEM users**: Yes, the CVE is from 2021. No, that doesn't mean you patched it. Check.

4. **Block 103.69.224.98** at your firewall/DNS level.

5. **Subscribe to a threat feed** that moves faster than CISA's Tuesday announcements. Our STIX endpoint delivers IOCs within hours of disclosure, not days.

STIX endpoint: `https://analytics.dugganusa.com/api/v1/stix-feed`

*Three vendors. Three CVEs. One of them five years old. The gift that keeps on giving.*

*DugganUSA LLC — Minneapolis, MN*

*1,004,712 IOCs and counting.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*