CVE-2021-22054, an unauthenticated SSRF in Omnissa Workspace ONE UEM (formerly VMware Workspace ONE UEM), has been added to the CISA KEV catalog with a remediation deadline of 2026-03-23, confirming active in-the-wild exploitation despite the vulnerability dating to 2021. With an EPSS score placing it in the 99.9th percentile and a public Nuclei detection template lowering the exploitation barrier, any organization running an unpatched, network-accessible UEM console is at immediate risk of internal network enumeration and lateral movement into managed device infrastructure. Patches have been available since original disclosure; remaining unpatched at this stage represents a critical remediation posture failure requiring immediate escalation.