Exploits using legitimate tools
On February 9 2026, Bleeping Computer revealed that attackers were exploiting critical vulnerabilities in SolarWinds Web Help Desk (WHD) to gain unauthenticated remote-code execution . Two flaws – CVE-2025-40551 and CVE-2025-26399 – allowed remote attackers to run arbitrary code without logging in. Once inside, the intruders deployed legitimate administration tools, they installed Zoho ManageEngine Assist for remote access, opened Cloudflare tunnels for persistence and used Velociraptor, a digital-forensics tool, as their command-and-control channel. Because these tools are signed and widely used, the attackers blended into normal IT activity. The campaign began around January 16, just days after SolarWinds published patches, and involved at least three organizations .
The involvement of SolarWinds evokes memories of the 2020 supply-chain breach. The WHD exploitation reinforces that attackers will keep probing widely used tools for weaknesses and will strike quickly when a flaw appears, especially when they can hide behind legitimate software.
Other cases were documented where Velociraptor was abused to open tunnels to attacker servers , highlighting a broader trend, adversaries leverage legitimate DFIR or remote-management software to blend in. This makes timely remediation not just detection, imperative.
Understanding the vulnerabilities
SolarWinds WHD is a ticketing and asset-management system used by IT teams worldwide. In late January 2026, SolarWinds disclosed several critical vulnerabilities. Security vendors noteed that two of them allow unauthenticated RCE via unsafe deserialization, while others bypass authentication.Version 2026.1 patches all known flaws. CISA added CVE-2025-40551 to its Known Exploited list on February 3 2026, and by February 7 active exploitation was observed. Unauthenticated RCE means that simply exposing WHD to the Internet gives attackers control, once an exploit runs, they can deploy legitimate remote-management tools and pivot deeper into the network without detection.
Lessons from SolarWinds, the remediation gap
The WHD exploitation is not just about one vendor, it exposes the remediation gap that affects vulnerability management overall. Traditional workflows prioritize detection, scanners generate thousands of findings and tickets. Remediation is a separate process requiring approvals and change windows, so patches may take weeks. Mean time to remediate stretches to 60–120 days, while attackers weaponize new vulnerabilities within days. Because most organizations rely on multiple tools for scanning and patching, vulnerabilities in smaller applications persist and become easy entry points.
This gap is rooted in how vulnerability management evolved. Early scanners were praised for comprehensiveness, flooding teams with thousands of findings while patching remained manual and slow. The result was a backlog that aged in ticket queues. Third-party software compounded the problem because each program had its own update mechanism .
Vicarius and the remediation-first philosophy
Vicarius approaches the problem from the opposite direction, start with remediation and build detection around it. The vRx platform unifies discovery, prioritization and remediation within a single workflow , eliminating the handoff to separate patch-management tools.
Instead of generating long lists and expecting manual fixes, vRx treats remediation as the core function. It discovers vulnerabilities, determines their risk and fixes them through automated patches, configuration scripts or protective controls when vendor patches are unavailable.
Three ways to fix vulnerabilities
Native patching automates deployment of vendor patches across more than 10,000 operating systems and third-party applications. Scripting addresses exposures that require configuration changes or custom remediation. Patchless Protection provides temporary shielding when a patch is unavailable, reducing exploitability until it can be safely applied.
Intelligent prioritization and scalability
Because no organization can fix every vulnerability at once, vRx uses contextual intelligence to decide what to address first. The platform considers CVSS severity, EPSS exploitation likelihood, KEV status and asset criticality. A critical flaw on an Internet-facing production server outranks the same flaw on an isolated development host. This reduces the noise that plagues legacy scanners.
vRx is also built for multi-tenant environments, managed service providers can manage multiple clients from a single interface while maintaining data separation and automate routine tasks across many customers. A compliance engine tracks alignment with frameworks like CIS and PCI DSS and more.
Organizations adopting this model report significant reductions in mean time to remediate and patch-management workload .
Unified remediation also simplifies compliance. Modern frameworks such as PCI DSS, HIPAA and CIS Controls require vulnerability awareness and evidence of timely remediation. When discovery, prioritization and remediation happen in the same system, audit reports are generated automatically, the platform knows when a vulnerability was found, what action was taken, and when it was completed. This reduces administrative overhead for security teams and demonstrates to regulators and insurers that the organization is actively closing exposures.
Organizations report dramatic reductions in mean time to remediate and a significant drop in manual effort , freeing teams to focus on strategic projects.
Critical reflections and forward-looking ideas
The WHD incident shows that patching alone is necessary but not sufficient. Even after upgrading to version 2026.1, administrators were advised to restrict WHD’s internet exposure and reset credentials. Attackers had abused an outdated Velociraptor version, reminding us that defenders must secure the entire application ecosystem, including remote-management agents and DFIR tools. Adversaries increasingly rely on signed software like Zoho Assist, Cloudflare tunneling and Velociraptor to avoid detection, antivirus solutions rarely flag these installations. A remediation platform should therefore monitor for unexpected deployments of legitimate tools, enforce policies that block unauthorized software and quickly restore disabled security services.
Time is shrinking between disclosure and exploitation. In the WHD case, active attacks were observed within about ten days of disclosure. Organizations cannot wait for monthly patch windows, continuous remediation is essential. By applying patches as soon as they are validated and using patchless protection when a vendor fix is unavailable or delayed, defenders narrow the window of exposure. Eliminating the handoff between security and IT is equally important. When the same platform identifies a vulnerable WHD installation and can deploy the necessary update, delays disappear. Patchless protection also provides immediate mitigation for zero-day flaws, reducing risk while waiting for a permanent fix.
Final thoughts: the real measure of security
The SolarWinds WHD exploitation is a reminder that security is measured by vulnerabilities removed, not vulnerabilities found. Attackers weaponized a newly disclosed flaw within ten days and used legitimate tools to hide in plain sight. Traditional vulnerability management, which emphasizes detection and reporting, leaves organizations exposed because it fails to ensure timely fixes. The remediation gap is the space in which attackers operate.
Vicarius’s remediation-first approach offers a blueprint for closing that gap. By unifying discovery, prioritization and remediation, automating patches across thousands of applications, providing scripting for complex fixes and patchless protection when patches are unavailable, and prioritizing based on actual risk, vRx turns vulnerability management into vulnerability elimination. Real-world results, dramatic reductions in mean time to remediate and operational overhead, show that this is more than theory. It is a practical path toward resilience.
The next time a zero-day flaw is disclosed, the critical question will not be “Do we see it?” but “How fast can we fix it?”. The future belongs to those who answer that question with speed and confidence.
