Patch. Repeat. Pray nobody sneaks in before you do. That’s cybersecurity for you lately—and this week, there’s no reprieve. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), never one to let a bleak headline slip by, has flagged three vulnerabilities so actively exploited it might as well have pinned a "Kick Me" sign to the backs of organizations using SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Omnissa Workspace ONE UEM. If you thought security appliance vendors had learned their lessons, well, prepare for some strategic disappointment.
SolarWinds Web Help Desk: Deja Vu, or Just Inevitable?
Here’s the scene: SolarWinds, that same vendor whose supply chain hack headlined for months, is back in the news. CVE-2025-26399, a critical flaw clocking in with a CVSS of 9.8, lets an attacker execute arbitrary system commands through the AjaxProxy component. According to CISA, Microsoft, and Huntress, threat actors—allegedly buddies from the Warlock ransomware group—have already been scalping vulnerable installations for initial network access. This isn’t some theoretical risk cooked up by a security vendor looking to sell more blinky boxes. It’s happening. Right now.
SolarWinds did the bare minimum in September 2025, shoving out a hotfix. CISA, with the dry urgency of a dentist reminding you to floss, has told federal agencies: Patch by March 12, 2026. Meanwhile, you—the unlucky admin reading this—are left to scramble, hoping your systems didn’t just become an easy payday for cybercriminals who probably didn’t even break a sweat.
Ivanti Endpoint Manager: When Authentication is Optional…For Attackers
Next on the chopping block, Ivanti Endpoint Manager and CVE-2026-1603. This one lets remote unauthenticated attackers siphon off credential data. Simple as that—if you've got the product exposed online and missed the February 2026 patch, your environment’s security is less “locked down” and more “pick your hat, we’re going to Vegas.”
It’s remarkable: For years, security practitioners have begged vendors to stop reusing authentication code like it was grandma’s banana bread recipe. Here we are, 2026, and attackers barely need to bother with login screens. The only real surprise is that exploitation details aren’t public yet—give it a week. Threat actors aren’t known for their patience or ethics, but they are excellent at sharing.
Workspace ONE UEM: The Renamed Target
VMware—or rather Omnissa, if you’re still keeping track after all the rebrands—makes its appearance with CVE-2021-22054. This server-side request forgery (SSRF) flaw is vintage: reported in 2021, identified as actively exploited in 2025, and still somehow scoring only a 7.5 on the CVSS scale. Funny how the numbers never fully capture how miserable an SSRF can make your week.
Attackers with network access can poke around internal resources and possibly exfiltrate sensitive data with no real need for authentication. GreyNoise flagged this vulnerability as being targeted in a broader campaign. If you’re running Workspace ONE UEM and still haven’t patched—surely you like living dangerously, or maybe you really believe security through obscurity works. (It doesn’t.)
Why Does This Keep Happening?
Let’s be real: This isn’t about bad luck, a single uncaught zero day, or even just slow patch management. It’s systemic rot. Time and again, widely deployed enterprise software ships with flaws so glaring the only surprising thing is how long it takes for attackers to make use of them. You might expect more from vendors who charge five figures for “support.” You’d probably also expect unicorns to win the Kentucky Derby.
The root causes? Take your pick: rushed code reviews, pressure to ship before the next competitor leapfrogs, or legacy features quietly rusting in the codebase. There’s also the convenient amnesia of incident response teams who “definitely patched everything last time,” yet always seem shocked when a script kiddie torches their help desk server.
Patch. Monitor. Repeat. (And Hope?)
CISA, ever the practical messenger, urges organizations to actually apply patches, monitor their systems, strengthen access controls, and—don’t forget—update incident response playbooks none of us are ever quite proud to run in real-time. Maybe this will sound familiar:
- Immediate Patch Application: Download, test, and deploy the latest fixes. If you’re waiting for a "better time," so are the attackers.
- System Monitoring: Set alerts for odd access patterns or privilege escalation attempts. Assume trouble is already inside the gates.
- Access Controls: Don’t let old accounts linger or let everyone from engineering to marketing have admin rights "just in case."
- Incident Response: Rehearse like your next bonus depends on it—because it probably does.
In other words, yes, do all the stuff every security team’s been preaching since the 00s. It’s either that or write a nice note to your new ransomware operators, apologizing for making it too easy.
Where Does That Leave You?
If you’re an enterprise running any of these products, you have two options: pretend it’s not your problem, or burn a weekend chasing down patches and hoping nothing important breaks. The first choice is easier—until the headlines involve your brand and the clean-up costs cut into bonuses for years.
It’s easy to blame software vendors, and they deserve a fair share of it. But the bottom line is grimly egalitarian—attackers don’t care who you blame. They care about opportunity, and right now, the door’s still wide open in far too many places.
Patching isn’t glamorous, and neither is responding to incidents. But ignoring these CISA warnings? That’s practically inviting disaster. So turn off the notifications and fix your stuff—before someone else makes the decision for you.
