Ivanti Blog: Posts by

We’re in a Patch Apocalypse. That Means These Three IT Excuses Won’t Work Anymore.

Wed, 29 Apr 2026 14:00:07 Z

On April 7, Anthropic announced that its Claude Mythos Preview model had autonomously identified thousands of high- and critical-severity zero-day vulnerabilities across every major operating system and every major web browser. Over 99% of them were unpatched the day of disclosure.

Two weeks later, on April 21, Mozilla said it had used the same model to find and patch 271 vulnerabilities in the latest Firefox release. Mozilla's own assessment: "So far we've found no category or complexity of vulnerability that humans can find that this model can't."

271 is the first wave. Chrome, Edge, Windows, macOS, Linux, FreeBSD — the 17-year-old remote code execution flaw in FreeBSD that Anthropic's red team disclosed (CVE-2026-4747) is an early example of what's coming. Every vendor under Anthropic's Project Glasswing umbrella is positioned to ship fixes at a tempo the industry hasn't seen before. All those fixes become public CVEs with patches available, which lands them in the same place: your environment.

The containment story also has a crack. On April 21, Bloomberg reported that a Discord-linked group gained unauthorized access to Mythos through a third-party vendor environment. Anthropic says the activity didn't extend beyond that vendor. Whether or not similar capability is already in attacker hands, the defensive runway is shorter than the April 7 announcement implied.

Mythos entered a world already trending this way. CrowdStrike's 2026 Global Threat Report documented an 89% year-over-year rise in AI-enabled attacks in 2025. That trend line predates Mythos.

Call this a patch apocalypse. The plain operational kind, where the volume and cadence of public CVEs with available patches is about to outrun how most IT and security teams currently work.

NIST is already feeling the effects of the patch apocalypse. In April, the agency announced a major shift in the National Vulnerability Database (NVD) operations in response to a 263% surge in submissions. NIST will no longer provide detailed enrichment to all vulnerabilities submitted, and will instead only provide this for vulnerabilities that meet a high-risk criteria, such as those in the CISA Known Exploited Vulnerabilities catalog or those affecting critical government software. NIST will be relying on CVE Number Authorities (CNAs), like Ivanti, rather than performing its own independent assessment.

I've been hearing three versions of the same response from customers and peers since the announcement. All three are variations of a program designed for a slower world.

“We have a vulnerability scanner”

Qualys, Rapid7 and Tenable do vulnerability discovery well. Scanners find, flag, score and list. Deployment, verification, reboot handling and rollback are outside their scope. That work still has to happen somewhere. In most programs it happens in a separate tool, with a separate team, on a separate cadence.

With the exploit window now running in hours and the Glasswing queue about to double the backlog, a scanner that produces 587 critical vulnerabilities and hands the list to a human team is a liability. The practical move is to connect the scanner you already own to a remediation engine that can act on its findings automatically. An autonomous endpoint management (AEM) platform, with ring-based deployment and rollback, and vulnerability intelligence to provide risk-based context for efficient remediation decisions so the list shrinks without a humans making every decision.

“We drive approvals through our ticketing system”

Speaking of humans having to make decisions… Long linear approval processes are going to slow the remediation process significantly. When is the last time you had to decide whether you were going to deploy the latest OS or browser update?

Organizations already know they are going to deploy these updates. Often the approval process is due to complex internal politics and misalignment on security outcomes. The end result? A very linear process that requires the vulnerability scanner previously mentioned, an analyst approving what you already know needs to be done, tickets going out to business owners for approval and sitting in inboxes waiting for approval, and ultimately valuable time wasted on a decision that was essentially already well understood and did not need to be made.

The market shift to Exposure Management is approaching this process very differently by focusing on defining an organizations risk-appetite and monitoring risk-posture. Next time a Windows OS update releases you already know you will deploy it, the schedule you will deploy it on and your SLA and compliance metrics you will measure success by. What you really want to know is:

1. Do I need to move faster because the update includes known exploited vulnerabilities?

2. Is the update impacting operations and we need to slow down (good thing the Autonomous Endpoint Management platform includes ring deployment with rollback)?

“We have Intune”

Microsoft Intune has two scope limits that matter here.

First, it only manages devices enrolled with it. Unenrolled and unmanaged endpoints — servers, contractor laptops, shadow IT, neglected edge devices — sit outside its visibility entirely. During periods of increased vulnerability volume, those blind spots multiply faster than teams can handle manually.

Second, while Intune simplifies application deployment and updates, its third-party application coverage and prioritization depth are narrower than most administrators realize. Intune can tell you what’s out of date, but not what actually increases your exposure––which forces teams to patch everything reactively, or based on guesswork when time is scarce.

Most enterprise environments aren’t exclusively Windows, fully enrolled, or running a small, homogenous app stack. When vulnerability disclosures spike, routing patching leaves gaps and turns into systemic risk.

Keep Intune. Pair it with a discovery and remediation layer that finds the assets Intune can't see, prioritizes the vulnerabilities that matter most, and applies patches with confidence across the applications Intune doesn’t cover.

What to do about it

Automation is the operating model. It has to be built into the workflow.

Practitioners have known the principle for a while. It shows up in three places:

Continuous triage. Known exploited vulnerabilities can follow a zero-day response track especially in less secure parts of the organization like end user systems. Above that, set and define specific applications like the browsers and telecommunication apps to get updated on a priority track that is checked weekly or even daily. Everything else can wait for the regularly maintenance window to come around.
Ring deployment with automated rollback. Test ring, early-adopter ring, broad production, mission-critical. The sequence is boring and it works for most maintenance. What's changed is that certain updates will need to compress to fit the exploit window vs waiting for your monthly maintenance. The test ring has to be automated and instrumented — a human checklist can't move that fast.
Closed-loop verification. The patch isn't deployed until it's verified installed on the endpoint, and the CVE isn't closed until a rescan confirms it. Most teams skip that step, which is why compliance evidence becomes a fire drill the week before the audit. That's why we shipped continuous compliance in our platform this week — so compliance evidence is produced continuously and automatically as patches deploy, with automation handling the prioritization decisions most teams don't have bandwidth for.

Mozilla's 271 Firefox vulnerabilities are a preview. Every major software vendor under Glasswing is about to startfixing more vulnerabilities and at an accelerated pace, and attackers with the same class of capability will be looking for exactly those openings whenever they gain access to a model like it. The resulting AI arms race will have a direct affect on the number and frequency of updates that organizations will have to remediate and at an accelerated pace. Automation is what carries a program through. Teams still doing monthly-only patching are in for a rough stretch.

If you run an IT or security program, the self-assessment is worth doing now. Take the last critical patch you pushed out. Even better, if a zero-day came out on a Friday would you be able to remediate it by Monday? Time it from CVE publication to verified install on the last endpoint. If that number is measured in weeks, the patch apocalypse is going to find you.

April 2026 Patch Tuesday

Tue, 14 Apr 2026 22:51:36 Z

The lead up to Patch Tuesday has been interesting. We had a Google Chrome zero-day (CVE-2026-5281) that was patched on April 1, an Adobe Acrobat Reader zero-day (CVE-2026-34621) late in the day on Friday April 10, and several older CVEs that were added to the CISA KEV list yesterday (April 13). All of this amidst a lot of industry buzz about Anthropic Mythos and Project Glasswing.

What is the correlation between these events and Project Glasswing you ask? Most of the discussions around Mythos have been focused on where it will be used and the ramifications.

Finding exploitable flaws in code can be a powerful tool for good when used by the vendor writing the code before it is released. However, it will also be used by researchers and threat actors to find flaws in code that is already released and that is where my speculation is directed.

Consider the knock-on effects of a massive model like Mythos and what it will mean near term and longer term for the software that companies consume. Near term you will have the big players using a solution like this to release more secure code. As researchers and threat actors adopt more robust AI models to identify exploitable flaws this will result in more coordinated disclosures (good), zero-day exploits (bad) and n-day exploits (bad). All of this will result in more frequent, and more importantly, urgent software updates.

Many organizations currently struggle to keep up with priority updates resolving exploited vulnerabilities when they occur outside of their normal monthly maintenance. I suspect most organizations were not aware of the Adobe Acrobat zero-day exploit until the CISA KEV update yesterday. This means that threat actors had another 2-3 days of free reign to exploit CVE-2026-34621 before most organizations became aware and many of those organizations will likely handle the update as part of their regular maintenance that is starting today on Patch Tuesday.

Browser security updates are a weekly occurrence. Many other applications that users are utilizing regularly release updates on a continuous cadence, not a set monthly release date. This means many of the user targeted exploits are going to occur in software that is releasing outside of the average organizations maintenance schedules and that frequency is about to increase. It is hard to say if that increase is going to be 1.5x or 5x, but rest assured that the increase will be noticeable and will exacerbate a challenge that most organizations already struggle with – timely patch management.

Enter Exposure Management. This is really a mindset and maturity change as much as a technology evolution. The mindset change requires us to consider a world where we need to make the decisions up front and monitor those decisions. This is called defining your Risk Appetite and monitoring your Risk Posture. Doing this effectively matures an organizations’ response to risks and makes remediation activities much more clear cut.

The technology evolution requires the traditional vulnerability assessment technologies to integrate into a broader ecosystem where asset visibility or system of record comes together with vulnerability assessment and vulnerability intelligence solutions to refine when risks require more immediate action vs waiting for your regular maintenance activities to occur. Most important is the need for this tech stack to be integrated with your AEM (Autonomous Endpoint Management) platform as this is where remediation predominantly (and automatically) occurs.

Now, back to our regularly scheduled Patch Tuesday update. Microsoft has resolved 169 CVEs this month which is a massive patch Tuesday lineup. April Patch Tuesday is the second-largest Patch Tuesday on record behind the October 2025 Patch Tuesday which resolved 175 CVEs. The lineup includes one zero-day exploit (CVE-2026-3220) and one public disclosure (CVE-2026-33825) and breaks down into 8 Critical, 156 Important, 3 Moderate and 1 Low severity.

The zero-day CVE is in Microsoft SharePoint and the public disclosure is in Microsoft Defender making those two updates the most urgent for this month in addition to the Adobe Acrobat and Google Chrome updates leading up to Patch Tuesday.

Microsoft’s known exploited vulnerabilities

Microsoft resolved a Server Spoofing Vulnerability in Microsoft SharePoint (CVE-2026-32201). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.5, but it has been confirmed to be exploited in the wild. An attacker who successfully exploits this vulnerability can view sensitive information and make changes to the disclosed information. The vulnerability affects SharePoint server Subscription Edition, SharePoint Server 2019 and SharePoint Server 2016. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved an Elevation of Privilege Vulnerability in Microsoft Defender (CVE-2026-33825). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but has been publicly disclosed. The CVE lists exploit code maturity as Proof-of-Concept which puts this at a higher risk of exploitation. An attacker could use this vulnerability to allow an authorized attacker to elevate their privileges to SYSTEM on the local machine.

Ivanti security advisories

Ivanti has released one security update for April. The update affects Ivanti Neurons for ITSM and resolves two CVEs. More details and information about mitigations can be found in the April Security Advisory.

Third-party vulnerabilities

Adobe has released twelve updates this month, eleven of which released on Patch Tuesday and the zero-day update for Acrobat that released on Friday, April 10. 54 CVEs were resolved with a breakdown of 39 Critical, 13 Important and 2 Moderate. APSB26-43 resolved the zero-day exploit (CVE-2026-34621).

April update to-do list

Adobe Acrobat (CVE-2026-34621) and Google Chrome (CVE-2026-5281) each had zero-day exploits leading up to Patch Tuesday. Ensure that you are prioritizing remediation of these two products to the latest version.
Microsoft SharePoint includes a zero-day exploit (CVE-2026-32201) and should be investigated as a priority especially if you have known update challenges with your SharePoint environments.
The Microsoft Windows OS update this month resolves 133 CVEs (depending on edition) and includes 4 Critical CVEs. This update will resolve a significant number of findings across your environment.

March 2026 Patch Tuesday

Tue, 10 Mar 2026 21:01:35 Z

March Patch Tuesday resolves 79 CVEs, of which three are Critical and 76 are Important. There are two publicly disclosed CVEs this month, but none exploited. Microsoft has also released an Edge update resolving nine Chrome CVEs. The public disclosures include a Denial-of-Service vulnerability in .Net and an Elevation of Privilege vulnerability in SQL Server. Both disclosures are listed as Unproven for Exploit Code Maturity indicating the disclosures did not include any code samples.

Adobe and Mozilla have released updates as part of the March Patch Tuesday including eight updates from Adobe resolving a total of 80 CVEs, 21 of which are rated Critical. Mozilla Firefox 148.0.2 released resolving three high severity CVEs.

Microsoft’s publicly disclosed vulnerability

Microsoft resolved an Elevation of Privilege vulnerability in SQL Server (CVE-2026-21262). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been publicly disclosed. An attacker who successfully exploited this vulnerability could gain SAL sysadmin privileges. The vulnerability affects SQL Server 2016 and later editions.

Microsoft resolved an Denial of Service vulnerability in .NET (CVE-2026-26127). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.5, but it has been publicly disclosed. An attacker could cause an out-of-bounds read in .NET allowing an unauthorized attacker to deny service over a network. The vulnerability affects .NET 9 and 10 on Windows, Mac OS and Linux as well as NuGet 9 and 10 packages.

Third-party vulnerabilities

Adobe has released eight updates this month resolving a total of 80 CVEs, 21 of which are rated Critical. Adobe Commerce is the highest priority this month with a Priority 2 rating. Other affected products include Adobe Illustrator, Substance 3D Painter, Acrobat and Acrobat Reader, Premier Pro, Experience Manager, Substance 3D Stager, and DNG SDK.

Mozilla has released an update for Firefox 148.0.2 resolving three High severity vulnerabilities.

March update to-do list

The Microsoft OS and Office updates will resolve the majority of the CVEs resolved this month in two easy updates.

Mozilla Firefox, Microsoft Edge and Google Chrome are all released frequently. Prioritize browser updates on a weekly or daily basis to reduce risks continuously with minimal risk of impact.

February 2026 Patch Tuesday

Tue, 10 Feb 2026 21:58:44 Z

February Patch Tuesday includes recent out-of-band updates from Microsoft between January 17th and 29th, including multiple bug fixes and a fix for a zero-day exploit in Microsoft Office. In addition, Microsoft announced the phased disablement of NTLM precede the February 2026 Patch Tuesday release.

For the February Patch Tuesday release, Microsoft has resolved 57 unique CVEs. Six CVEs are flagged as Exploited and three of those are Publicly Disclosed as well. Add the out-of-band (OOB) zero-day and you have a lineup of CVEs that need some attention.

January Out-of-Band Releases

The first OOB release on January 17th resolved a credential prompt failure when attempting remote desktop or remote appliance connections. The second round of OOB updates occurred on January 24th and 26th resolving application crashes in Outlook and OneDrive, and system hibernation/shut down issues. And finally, the third OOB update on January 26th was a zero-day vulnerability CVE-2026-21509, a Microsoft Office Security Feature bypass vulnerability.

Microsoft plans phased NTLM disablement

Microsoft released their plan for the phased disablement of New Technology LAN Manager (NTLM) in the latest operating systems starting now in 2026 and beyond. The NTLM authentication protocol was introduced back in 1993 and has since been superseded by Kerberos protocols, which are far more secure. However, NTLM has remained the fallback when Kerberos is unavailable despite being deprecated and having weak algorithms.

Phase one introduces additional auditing to help identify where NTLM may still be running and changing it out where you can. Starting now, Microsoft recommends using advanced NTLM auditing already available in Server 2025, and Windows 11 24H2 and newer. Phase two begins with major OS updates coming later this year. This update will address the ‘pain points’ or blockers by removing multiple fallback scenarios where Kerberos reverts back to NTLM.

And finally in phase three, NTLM will be disabled by default. The code will still be there, but you will need to explicitly re-enable it if absolutely needed. This three-phase approach will happen quickly, so plan appropriately to replace NTLM in your environment and take a giant security step forward. The ‘NTLM disabled by default’ phase will occur with the next major Server update.

Microsoft’s exploited vulnerability 

On January 29th, Microsoft resolved a Security Feature Bypass vulnerability in Microsoft Office (CVE-2026-21509). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can send a user a malicious Office file and convince them to open the file to exploit the vulnerability. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Elevation of Privilege vulnerability in Remote Desktop Services (CVE-2026-21533). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Elevation of Privilege vulnerability in Desktop Window Manager (CVE-2026-21519). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Security Feature Bypass vulnerability in MSHTML Framework (CVE-2026-21513). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Security Feature Bypass vulnerability in Windows Shell (CVE-2026-21510). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved an Security Feature Bypass vulnerability in Microsoft Word (CVE-2026-21514). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can bypass a security feature locally due to a reliance on untrusted inputs. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft resolved a Denial of Service vulnerability in Windows Remote Access Connection Manager (CVE-2026-21525). The vulnerability is rated Moderate by Microsoft and has a CVSS v3.1 score of 6.2, but it has been confirmed to be exploited in the wild. A null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Ivanti security advisories 

Ivanti has released one security update for February. The update affects Ivanti Endpoint Manager and resolves two new CVEs and 11 medium severity CVEs that were disclosed in late 2025. More details and information about mitigations can be found in the February Security Advisory.

In addition, there was a security advisory on January 29th for Ivanti Endpoint Manager Mobile (EPMM) that had a limited number of customers impacted at time of disclosure. Ivanti urges all customers using the on-prem EPMM product to promptly install the Security Update. The security advisory, additional technical analysis, and an Exploitation Detection script co-developed with NCSC-NL can be found in the January Security Advisory.

Third-party vulnerabilities  

Adobe has released nine updates this month resolving 43 CVEs, 27 of which are Critical. All nine updates are rated Priority three by Adobe.

February update to-do list

Windows OS and Microsoft Office updates are priority this month resolving six new and one OOB zero-day exploits.

Review Microsoft phased disablement of NTLM announcement and documentation to start planning for the deprecation and disablement of NTLM.

January 2026 Patch Tuesday

Tue, 13 Jan 2026 21:52:53 Z

New year, new updates! Welcome back to the Ivanti Patch Tuesday blog where we provide you critical insights to optimize your exposure management activities.

This month there are a pair of Mozilla CVEs that are suspected of being exploited and a Microsoft CVE that has been exploited.

In addition, Microsoft has a pair of publicly disclosed vulnerabilities that will need to be reviewed to see if your organization may be impacted by the changes Microsoft is making.

There are additional third-party updates from Adobe, and you should expect more from Google and Oracle over the next few days and into next week that should be included in your monthly maintenance.

A side note of good news: Microsoft has broken the Server 2025 update out into a separate KB, so it is only 1.9GB in size, versus this month’s 4GB+ Windows 11 cumulative update.

Microsoft’s exploited vulnerability 

Microsoft has resolved an Information Disclosure vulnerability in Desktop Window Manager (CVE-2026-20805). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 5.5, but it has been confirmed to be exploited in the wild. The exposure could be used to disclose a section address from a remote ALPC port that is user-mode memory. The vulnerability affects all currently supported and extended security update-supported versions of the Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.

Microsoft’s publicly disclosed vulnerabilities 

Microsoft has resolved a Security Feature Bypass vulnerability in Secure Boot Certification Expiration (CVE-2026-21265). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.4, but it has been publicly disclosed. In addition the update, the fix provides a warning regarding certificates that will be expiring in 2026 and details on actions that are required to up renew certificates prior to their expiration. It is recommended to start investigating what actions your organization may need to take to prevent potential serviceability and security as certificates expire.   

Microsoft is addressing an Elevation of Privilege vulnerability in Windows Agere Soft Modem Driver (CVE-2023-31096). The vulnerability CVE ID was assigned by MITRE in 2023. It is rated Important and has a CVSS v3.1 score of 7.8. The CVE has been publicly disclosed. Microsoft’s resolution is to remove the affected drivers from the Windows OS as of the January 2026 cumulative update. Microsoft recommends removing any existing dependencies on this hardware.

Ivanti security advisories 

Ivanti has released no security advisories this month.

Third-party vulnerabilities  

Mozilla has released updates for Firefox and Firefox ESR, resolving a total of 34 CVEs. All three updates have an Impact rating of High. Two CVEs are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
Expect Google Chrome and Microsoft Edge updates this week in addition to a high-severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628).
Adobe has released 11 updates this month affecting DreamWeaver, InDesign, Illustrator, InCopy, Bridge, Substance 3D Modeler, Stager, Painter, Sampler and Designer and Coldfusion. Coldfusion is a priority 1. Everything else is priority 3, but most of the updates include Critical CVEs.
Oracle’s Quarterly CPU is scheduled to release on January 20, so be prepared for updates for Oracle solutions, including Java. Once the Java release is out, expect all of the Java-based frameworks to update over the next few weeks.

January update to-do list

Browser updates are a priority this month. Mozilla resolved two suspected zero-day exploits (CVE-2026-0891 and CVE-2026-0892), and Chrome resolved a high-severity CVE (CVE-2026-0628).
The Windows OS update resolves one exploited and two publicly disclosed vulnerabilities this month, putting the Windows OS update as top priority this month alongside the browser updates.
Review Secure Boot Certificate timelines and usage of Agere Soft Modem drivers to avoid serviceability and security issues.

December 2025 Patch Tuesday

Tue, 09 Dec 2025 22:05:21 Z

Here we are at the final Patch Tuesday for 2025. Microsoft has resolved 56 CVEs (two Critical and 54 Important). Included in this release is one known exploited (CVE-2025-62221) and two publicly disclosed CVEs (CVE-2025-54100 and CVE-2025-64671). This month’s OS update resolves the exploit (CVE-2025-62221) and one of the public disclosures (CVE-2025-54100), making the Windows OS a top priority this month. The other public disclosure is in GitHub Copilot for Jetbrains (CVE-2025-64671), which would require developers to download and update the GitHub Copilot plugin.

Third-party updates this Patch Tuesday include multiple releases from Mozilla for Firefox 146 and Firefox ESR 115.31 and 140.6. Adobe released five updates to resolve 142 CVEs including an update for Adobe Acrobat and Reader. Four of five updates are rated as Priority Three, but the Adobe ColdFusion update is rated Priority One. There are no known exploits, but the ColdFusion update resolves the bulk of the CVEs resolved by Adobe this month.

Microsoft’s exploited vulnerability

Microsoft has resolved an Elevation of Privilege vulnerability in Cloud Files Mini Filter Driver (CVE-2025-62221). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but is confirmed to be exploited in the wild. An attacker who successfully exploits this CVE could gain SYSTEM privileges. The CVE affects Windows 10 and later Windows editions. A risk-based prioritization approach would prioritize this CVE as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in PowerShell (CVE-2025-54100). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8 but has been publicly disclosed. The fix provides a warning and guidance to avoid the potential remote code execution, but the nature of the exposure makes it improbable to fully remediate. The Invoke-WebRequest command can parse the contents of a web page and could potentially run script code in the web page when it is parsed. A warning is presented recommending the use of the -UseBasicParsing switch to avoid script code execution. The CVE affects Server 2008 and later Windows editions.

Microsoft has resolved a Remote Code Execution vulnerability in GitHub Copilot for Jetbrains (CVE-2025-64671). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.4 but has been publicly disclosed. An attacker could exploit code using a malicious Cross Prompt Inject in untrusted files or MCP servers, allowing the execution of additional commands by appending them to commands allowed in the user’s terminal auto-approve setting.

Ivanti security advisories

Ivanti has released one security update this month. The update affects Ivanti Endpoint Manager and resolves four vulnerabilities. More details and information about mitigations can be found in the December Security Advisory.

Third-party vulnerabilities 

Mozilla has released updates for Firefox and Firefox ESR resolving a total of 27 CVEs. All three updates have an Impact rating of High.

Adobe released five updates this month affecting ColdFusion, Experience Manager, DNG SDK, Acrobat and Reader and Creative Cloud Desktop. ColdFusion is a Priority One and resolves the majority of the 142 CVEs. The other four updates are rated Priority Three.

December update priorities

The Windows OS update is the priority this month to resolve CVE-2025-62221.

All other updates can be resolved under normal SLA priorities.

Unpatchable Vulnerabilities: Key Risk Mitigation Strategies

Mon, 20 Oct 2025 13:00:00 Z

Wouldn’t it be great if every vulnerability had a fix waiting in the wings? If patching were always fast, easy, and complete?

That’s not the world we live in.

Some vulnerabilities can’t be patched at all. Others are buried in systems or services you don’t fully control. And the longer your focus stays limited to internal infrastructure, the more risk slips through the cracks.

This is where the conversation broadens, from vulnerability management to full spectrum exposure management. Because unpatchable vulnerabilities aren’t edge cases. They're part of your everyday risk landscape and deserve a seat at every CISO’s table.

The problem? Too many organizations still equate vulnerability management with patching, and that mindset creates blind spots big enough for attackers to walk right through. It ignores the exposures lurking outside traditional infrastructure: Cloud misconfigs, expired certs, third-party software dependencies, identity abuse and more.

What are unpatchable vulnerabilities?

Unpatchable vulnerabilities live up to their name. They’re flaws you can’t fix with a vendor patch, and not as rare as you might think. In today’s environment, risk is as likely to come from a cloud misconfiguration or expired certificate as it is from a missing update. But if your strategy focuses only on infrastructure vulnerabilities, you’re leaving massive gaps in your defenses.

Most teams lack total attack surface visibility and treat infrastructure as the entire attack surface. Full stop. But that’s only one layer in a much broader landscape. The reality is that there are five critical layers where vulnerabilities live, and only one of them can be reliably managed with traditional patching.

The rest? They're unpatchable by nature. And each requires a different approach if you want to close the gaps. Let’s go through each one at a time:

1. Infrastructure

Infrastructure is the attack surface layer that everyone knows. It’s where traditional vulnerability management and patch management lives. And yes, it’s critical. But treating this as the whole (or only) attack surface is like locking your front door and ignoring the open windows.

2. External attack surface

The external attack surface is what an adversary sees when they look at your organization from the outside. Your domains, subdomains and exposed services are entry points you don’t always control directly and often aren’t picked up in infrastructure scans.

3. Cloud services

Cloud misconfigurations are one of today’s most dangerous blind spots and also among the most overlooked, particularly in environments that have rapidly adopted cloud services without simultaneously evolving their security practices. We’ve seen the headlines about data exposed through misconfigured storage buckets or overly permissive APIs. These aren’t software flaws. They’re setup mistakes, and no patch can fix a poorly set permission.

4. Identity

Then there’s identity. Every user account, credential and session token is a target. If a threat actor phishes your credentials or cracks a weak password, they’re not even exploiting a system vulnerability. They’re using your systems exactly as designed. Don’t mistake identity for a layer of access control. It serves as its own attack surface.

5. Data

And finally: data. The way you classify, store and secure data all represent a surface area always being probed by attackers. If sensitive information is in the wrong place, with the wrong permissions, that’s an open invitation.

Patching is critical. It gives you remediation coverage on endpoints and servers. But it only addresses one piece of the puzzle. The rest of your environment requires a wider lens.

The reality is: exposures aren’t buried in code. They live in misconfigurations, overly broad permissions, architectural shortcuts and legacy systems either forgotten or left to rot in the background. Those don’t get fixed with a patch. They get fixed with strategy.

Examples of unpatchable vulnerabilities

Log4j was a wake-up call. A single vulnerable library embedded across dozens of applications, many of them business-critical. You couldn’t just “push a patch”. You had to wait for each vendor to update their software, and/or manually disable vulnerable components until you closed that hole.

That’s just one example of how complexity can derail vulnerability management. Other cases are even more problematic:

IoT devices often operate as closed systems, with firmware controlled entirely by the vendor. If vendor support ends, you’re left with internet-connected assets that IT can’t update directly as firmware is locked behind vendor-controlled gates. Without updates, vulnerabilities remain exposed.

Network Edge Devices (Firewalls, VPNs, etc.) come with layers of complex rules, configurations and dependencies, configurations and dependencies that can’t be blindly updated. Every change must be tested against business-critical services to avoid outages. One single misstep can knock systems offline or break key integrations. That’s why most teams treat these updates like surgical procedures: slow, meticulous and weighed carefully against the organization’s risk appetite.

And then there’s cryptographic decay. It’s the slow decay of trust in encryption as attackers get faster and standards grow older. TLS and SSL protocols, once considered rock solid, become exploitable over time.

And none of them can be addressed by traditional patching models. They live outside the boundaries of what scanners catch and patching can solve. That’s why a broader security strategy, one rooted in exposure reduction and not just patching, needs to guide your approach.

Multifaceted risk mitigation strategies

Start by targeting the weakest links in your environment: outdated protocols, misconfigurations and overexposed assets. Then, assess who and what has access to your systems. Shrink those access pathways to only what’s essential. This reduces the damage radius when something goes wrong.

Next, break risk mitigation into multiple workstreams. Not every vulnerability can be addressed the same way or on the same timeline. You need parallel tracks for short-term containment and long-term resilience.

In the short term, if you're facing an unpatchable vulnerability, ask: how do we minimize impact now? The Log4j response is a good model. There, we deployed scripts that disabled vulnerable components in real time, limiting exposure while waiting for a vendor patch.

At the same time, build a longer-term framework. Automate configuration updates wherever possible. Create a roadmap for phasing out end-of-life apps and platforms. Map ownership across critical systems, including which teams or vendors control updates and what permissions or dependencies might block timely fixes. When an issue arises, that prep work determines whether you're reacting in chaos or executing a plan.

The tactics will vary — scripts, segmentation, zero trust, re-architecture — but the goal stays the same: reduce the time and space adversaries have to exploit your systems. Shrink the window. Stay ahead of it.

The organizations that succeed in managing unpatchable vulnerabilities are the ones who understand their environment inside and out. They never stop refining that understanding. That means having a real-time asset inventory, visibility into what’s running where and a comprehensive Software Bill of Materials (SBOM) that tells you what’s inside your software.

They also monitor the entire attack surface. Not just endpoints, but external perimeters, cloud configurations, identity systems, and the data itself. Anything less than that leaves blind spots wide open.

They build tight operational bridges between teams. When a high-risk exposure surfaces, network ops, application owners and developers already know who’s on point, what actions to take and how to move fast without triggering service disruptions.

Above all, they know that “unpatchable” doesn’t mean unmanageable. It just means you need a different playbook: one that’s layered, cross-functional and laser-focused on reducing real-world risk.

For more on how to elevate your approach to vulnerability management and risk mitigation, check out Ivanti’s research report: Risk-Based Patch Prioritization.

October 2025 Patch Tuesday

Tue, 14 Oct 2025 21:43:03 Z

October Patch Tuesday is going to be a busy one from all angles. Microsoft exceeded the January CVE count (159 CVEs) by a healthy margin, with 172 CVEs resolved this month. There are three exploited and two publicly disclosed vulnerabilities this month, but fortunately all of them are in the cumulative OS update, making resolution quick and clean. They are also end of life-ing a lot of products, including Windows 10! Additionally, Office 2016 and 2019 and Exchange Server 2016 and 2019 have also reached end of life.

Adobe released 12 updates resolving 36 CVEs. Mozilla released five updates resolving 45 CVEs and are cautioning users that three of these CVEs are showing signs they may have been exploited in the wild (unconfirmed). And of course, Google Chrome is expected to release their weekly update in the next 24 hours.

There is a lot to unpack, so let’s get started.

Microsoft’s exploited vulnerabilities

Microsoft has resolved a Secure Boot bypass in IGEL OS before 11 vulnerability (CVE-2025-47827), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 4.6. Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature, allowing a crafted root file system to be mounted from an unverified image.

Microsoft has resolved an Elevation of Privilege vulnerability in Remote Access Connection Manager (CVE-2025-59230), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.8. Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Agere Modem Driver (CVE-2025-24990), which Microsoft has confirmed is exploited in the wild. The CVE is rated Important and has a CVSS 3.1 score of 7.8. The driver shipped natively with the Windows OS. Microsoft has removed the driver with the October cumulative update and recommends removing any existing dependencies on this fax modem hardware. Exploit is possible even if the drive is not being used. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Agere Modem Driver (CVE-2024-24052), which Microsoft has confirmed is publicly disclosed. The CVE is rated Important and has a CVSS 3.1 score of 7.8. The exploit code maturity is listed as proof-of-concept, which increases the risk of exploitation. A risk-based prioritization methodology would warrant treating this as Critical.

Microsoft has resolved an out-of-bounds read vulnerability in TCG TPM2.0 reference implementation (CVE-2024-2884), which Microsoft has confirmed is publicly disclosed. The CVE is rated Important and has a CVSS 3.1 score of 5.3. The exploit code maturity is listed as unproven, indicating there is currently no publicly available code.

Ivanti security advisories

Ivanti has released two updates and one Security Advisory for October Patch Tuesday, resolving a total of seven CVEs. The affected products include Ivanti Neurons for MDM and Ivanti Endpoint Manager Mobile. The Ivanti Neurons for MDM vulnerabilities were resolved for all customers on October 10, 2025. An additional Security Advisory was released for Ivanti Endpoint Manager, which provides mitigation options for vulnerabilities disclosed October 7, 2025.

For more details, you can view the updates and information provided in the October Security Update on the Ivanti blog.

Third-party vulnerabilities

Adobe released 12 updates addressing 36 CVEs. Adobe has rated the Commerce update as a priority two and the rest of the updates as priority three.
Mozilla released five updates resolving 45 CVEs. Three of the CVEs included variations of the statement, “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” indicating a possibility of exploitation in the wild. All five updates include at least one of the suspected exploit CVEs, we recommend treating all five as containing a known exploited CVE.
Google Chrome is expected to release in the next 24 hours, so plan a Chrome update and a possible Edge update shortly after.

October update priorities

The Windows OS cumulative update is the top priority this month, as it resolves three exploited and two publicly disclosed CVEs.
All Mozilla updates should be deployed during your current maintenance, but any deferral or delay would come with risks as there are three CVEs that are speculated to be exploitable in the wild already.

Schrödinger’s Vulnerability: Why Continuous Vulnerability Management Isn’t Optional

Wed, 17 Sep 2025 13:00:01 Z

The classic thought experiment known as Schrödinger’s Cat imagines a cat that’s simultaneously alive and dead; that is, until someone opens the box. In other words, it’s both alive and dead until the point that we can confirm the truth.

Now, swap the cat for software vulnerabilities, and you’ve got a fantastic analogy for what happens in today’s security environment. Teams won’t know a vulnerability exists until it’s discovered and in the worst cases, until it’s already being exploited.

That uncertainty is what I call Schrödinger’s vulnerability.

It’s the gap between the assumption of safety and the reality of exposure. And it’s a gap that traditional vulnerability management practices alone can’t bridge.

With threat actors leveraging automation and AI to enhance the speed and scale of their attacks, the time between the discovery of a vulnerability and exploitation is shrinking. Organizations can’t afford to waste time identifying and patching vulnerabilities.

Traditional patching methods are on a fixed cadence – once a month or once a week – but this approach is out of touch with the realities of modern threats.

Organizations need to branch out from relying just on reactive, scheduled patch management and remediation cycles. It’s time we shift our mindset to an always-on, comprehensive way of understanding a potential vulnerability – even before we know that the vulnerability exists.

The Patch Tuesday problem: real-world threats move faster

Let’s start with what we all know: Patch Tuesday is predictable. Patch Tuesday remains an important practice in helping security teams prioritize their updates and remediate newly-identified vulnerabilities. Leading tech companies like Microsoft, Apple and Ivanti itself release their updates and patches on a regular cycle, giving IT and security teams time to prepare their own maintenance cycles.

However, the problem is that many vulnerabilities aren't so predictable.

For example, popular third-party applications such as Adobe, Mozilla and Google are continuously releasing updates to common applications — such as browsers — that we all use on a daily basis.

For organizations only anchored to a monthly maintenance schedule, this can create a dangerous delay. Each time you “close the box” and wait for the next patch window, you leave a 29-day exposure gap wide open.

Consider what happened in the spring months of 2025: in the span of five weeks, Chrome, Edge and Firefox each identified zero-day vulnerabilities that required immediate attention:

Two Firefox vulnerabilities publicly exploited at the Pwn2Own hacker competition
An actively exploited zero-day in Chrome and its sibling browser, Edge
Multiple rapid-fire CVE disclosures demanding swift action

Modern cyber attackers can reverse-engineer newly released patches to uncover the underlying vulnerability, weaponize proof-of-concept exploits and launch automated attacks.

Once a vulnerability is publicly disclosed, you enter a critical window to resolve the issue before threat actors can take advantage of it. In fact, the June 2025 zero-day in Chrome (CVE-2025–5419) was actively exploited in the wild upon patch release, underscoring how quickly adversaries can weaponize a disclosed flaw.

To extend our Schrödinger’s analogy: vulnerability management is like herding cats. And as anyone who’s tried to herd cats knows, it’s a 24/7, round-the-clock job. In other words, continuous vulnerability management is even more crucial now than before.

The IT burden: continuous releases and compressed SLAs

Threat velocity is only half the challenge. As more vendors shift to continuous release cycles, it forces security teams to shrink SLAs, sometimes dramatically. The result is often “smoke-test validation”, confirming a patch has been installed without fully checking its impact. That’s how bugs, compatibility issues and missed dependencies slip through. You’re increasing operational risk even when trying to reduce security risk. It’s like peeking in the box to see if the cat’s breathing and missing the open window behind it.

IT teams are struggling to test, validate and deploy patches at that increased pace, according to Ivanti research. Nearly four out of 10 (39%) cybersecurity professionals find it a challenge to prioritize risk remediation and patch deployment, and 35% aren’t consistently able to maintain compliance when patching.

A different approach is needed. Teams need to be more proactive and continuous in their approach. This means establishing a mindset of exposure management to be more proactive.

Risk appetite: the starting point for exposure management

Every organization has a different tolerance threshold regarding risk. That’s your risk appetite. If you haven’t formally defined that in your teams, you can’t operationalize an effective response strategy.

That’s why continuous vulnerability management starts with a conversation across stakeholders. You must bring security ops, IT and business leadership to the table to address critical questions:

What level of exposure are we willing to tolerate?
How fast can we realistically respond to zero-day threats?
What's the financial, operational and reputational cost of being wrong?

The average cost of a ransomware incident is now reported as being upwards of $5 million. That’s no small sum, and especially for smaller organizations, the high costs may pose an existential threat to their business.

For enterprises, it’s more the brand damage and regulatory exposure where it stings the most.

No matter your size, these numbers demand a shift from measuring patching SLAs to actively managing exposure.

From cadence to coverage: tiered patch management framework

At Ivanti, we’ve operationalized this mindset through a flexible, layered policy framework within our Neurons for Patch Management platform. This starts with three policy tiers that align with real-world vulnerability response patterns:

1. Routine maintenance

This is your baseline: OS updates, scheduled, third-party patches, standard hygiene. While essential, it’s insufficient if it stands on its own. You’re keeping the lights on, but you’re not ready when a storm hits.

2. Priority updates

Browsers, collaboration tools and document apps change constantly, making them prime targets for exploitation. Because of the perpetual change and evolution of these apps, they require faster response cycles and purpose-built policies. We’ve created default configurations to help customers proactively manage these risk-prone applications with minimal friction.

3. Zero-Day response

Agility matters most here. When a zero-day is discovered and disclosed (or worse, exploited), you don’t have time to debate or argue about what to do in response. You need preconfigured, battle-tested policies that you can pivot to immediately and patch outside your normal cycle.

These three tiers running parallel to each other give organizations a starting point for moving beyond cadence-based patching. They operationalize the concept of risk appetite by matching prescribed response urgency to the nature of the threat.

Multilayered vulnerability management and continuous compliance

Not every system is perfect, though. What happens when something falls through the cracks?

Maybe an employee was on vacation. Maybe a system was turned off. Maybe a new device was integrated without the latest patches. These are the edge cases that create silent, persistent risk. These are your very own Schrödinger’s vulnerabilities.

To solve this requires a fourth remediation track: Continuous Compliance.

This task runs in the background. It monitors for devices that don’t meet your latest patching baseline from routine to zero-day. When it finds gaps, it closes them automatically. It’s like a bank’s vault automatically locking shut when thieves trigger the alarm.

There’s no need to wait for the next Patch Tuesday or have someone manually watch the dashboard 24/7. This is where true continuous vulnerability management takes shape. Ongoing coverage (and security) rather than manual reaction.

Shrinking the noise: focus on what matters

There’s another critical benefit here: dramatically reducing the volume of noise your security teams have to triage.

Take July’s Patch Tuesday. Microsoft released patches for 104 CVEs. Let’s do the math: say you have 3,000 Windows 11 machines in your user base. That means more than 300,000 “findings” for your vulnerability scanner.

But here’s the thing: if your exposure management program is doing its job, 99% of those findings are already addressed and accounted for in your routine maintenance, priority updates or in your zero-day response tasks. No more needing to parse through mountains of redundant alerts – your team can now home in on what needs real attention, including gaps, anomalies and uncompliant systems.

That’s how you move from reactive alert fatigue to active risk reduction.

From patch management to preparedness

This, ultimately, is a mindset shift. You’re moving from a reactive model to a proactive one. You’re shifting from waiting for vulnerabilities to surface and deciding what to do about them, to responding with predefined and automated processes firmly in place.

That’s the difference between simply patching and being prepared. It matters more now than ever, with CVE counts rising and threat actors faster, smarter and better resourced.

Regulatory expectations are also growing. Whether it’s SEC disclosure rules, National Institute of Standards and Technology (NIST) frameworks or industry-specific compliance mandates, the bar for “reasonable security” is climbing.

The baseline has changed: it’s no longer patch and react. It’s continuous vulnerability management.

Not falling for Schrödinger’s vulnerability

Back to the cat. The whole point of Schrödinger’s Cat thought experiment is that uncertainty persists until you look.

That’s fun in concept, but it’s dangerous when you apply that mentality to cybersecurity. You can’t just hope you won’t get hit — you must manage risk through continuous monitoring, patching and enforcing.

With the right measures in place, you’re not opening the box wondering if a vulnerability is “alive” or not. You’ve already taken steps to keep it safe. You can open with confidence and then shut the window of exposure before it even becomes an open door.

Discover more best practices to elevate your current patching and remediation efforts to a proactive, high-performing security strategy in our full Risk-Based Patch Prioritization Report.

September 2025 Patch Tuesday

Tue, 09 Sep 2025 21:28:36 Z

The days leading into September Patch Tuesday include a bit of chaos from a pair of actively exploited Android CVEs (CVE-2025-38352, CVE-2025-48543), a zero day in WhatsApp (CVE-2025-55177), another zero day in WinRAR (CVE-2025-8088), and a major supply chain attack through the Drift AI Chat Agent exposing Salesforce customers data.

The good news is Microsoft only has a pair of publicly disclosed vulnerabilities (CVE-2025-55234, CVE-2024-21907) out of 81 total CVEs resolved this month, making this about as close to a calm Patch Tuesday as we can hope for.

The Windows OS and Office updates are rated Critical this month, putting those as the highest priority, but with no zero-day exploits, this month should be focused on routine maintenance from a Microsoft perspective.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB (CVE-2025-55234), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 8.8 and affects all Windows OS editions. The code maturity is unproven, which would indicate no code samples have been disclosed. A risk-based prioritization methodology would warrant treating this as Important.

Microsoft has resolved an Improper Handling of Exceptional Conditions vulnerability in Newtonsoft.Json (CVE-2024-21907), which Microsoft has confirmed is publicly disclosed. The CVE is unrated and affects SQL Server 2016, 2017 and 2019. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial-of-service condition. A risk-based prioritization methodology would warrant treating this as Important.

Third-party vulnerabilities

Adobe has released nine updates resolving 22 CVEs, 12 of which are rated Critical. The products affected include Adobe Acrobat Reader, After Effects, Premiere Pro, Commerce, Substance 3D Viewer, Experience Manager, Dreamweaver, 3D Substance Modeler and ColdFusion. Adobe has rated the ColdFusion update as a priority one and Commerce as a priority two. The other seven updates are rated priority three.

Ivanti security advisories

Ivanti has released two updates for September Patch Tuesday resolving a total of 13 CVEs. The affected products include Ivanti Connect Secure and Policy Secure and Ivanti EPM.

For more details, you can view the updates and information provided in the September Security Update on the Ivanti blog.

September update priorities

With no zero-days released on Patch Tuesday, the updates this month are predominantly low risk. Ensure you have the zero days leading up to Patch Tuesday in hand, and plan to deploy the Microsoft and Adobe updates through your regular maintenance activities this month.

Attack Surface Discovery: How to Identify Your Organization's Attack Surface

Mon, 18 Aug 2025 09:54:55 Z

Much like your lawn after a good rain, your attack surface will grow rapidly if left unchecked. And an increase in cybersecurity risk comes along with that increase in attack surface size. While risk can’t be eliminated outright (because attack surfaces are always evolving), you can manage it to keep your overall risk levels in line with your risk appetite.

Why is attack surface discovery so important?

Managing cybersecurity risk begins with identifying your organization’s attack surface. More specifically, you must identify what lurks below the surface — the endpoints, vulnerabilities and other attack vectors that expose your environment.

Leading security frameworks agree that attack surface discovery is essential for a strong security posture. For instance, the first Function of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) Version 1.1 is Identify, and NIST states, “The activities in the Identify Function are foundational for effective use of the Framework.” Similarly, CIS Controls v8 contains the following Controls:

Control 1 — Inventory and Control of Enterprise Assets
Control 2 — Inventory and Control of Software Assets
Control 7 — Continuous Vulnerability Management

Put simply, you can’t defend what you don’t know you have. But how do you figure out what you have?

How do I get started with attack surface discovery?

Attack surface discovery requires you to take an attacker’s view of your organization to find exploitable assets and associated vulnerabilities.

Your attack surface has three components: a digital attack surface, a physical attack surface and a human attack surface. Here, we’ll focus primarily on discovering your digital attack surface, although we’ll touch briefly on the other two aspects as well.

Your digital attack surface includes traditional IT assets — hardware, such as endpoints and servers, as well as software applications — and external internet-facing assets, such as web applications, IPs, domain names, SSL certificates and cloud services.

Your first step is to account for each element of your digital attack surface and identify your visibility gaps. You can classify each element as:

Known known: Cyber assets that you know are part of your attack surface.
Known unknown: Cyber assets that you know are part of your attack surface but that you may not have visibility into and/or don’t have under management.
Unknown unknown: Cyber assets that may or may not be part of your attack surface — you don’t know.
N/A: Cyber assets that you know with 100% certainty are not part of your attack surface.

For a more comprehensive overview of your attack surface elements, use our editable attack surface checklist to take inventory.

Tools for discovering and managing your attack surface

The next step after classifying your asset types is to figure out what tools or approaches will allow you to close your visibility gaps, turning your known unknowns and unknown unknowns into known knowns.

There are more specific solutions that fall under the broad umbrella of attack surface management — cyber asset attack surface management (CAASM), external attack surface management (EASM) and digital risk protection services (DRPS). These tools aggregate findings to more easily identify vulnerabilities, and some also have capabilities for prioritizing and remediating these vulnerabilities, allowing you to quickly act on attack surface insights and reduce risk.

But organizations have needed to discover and manage their digital attack surfaces since before ASM solutions became available. Instead of ASM solutions, many organizations have leveraged — and continue to leverage — other approaches to do so.

Approach	Description	Pros	Cons
Asset discovery tools	Find and inventory hardware and software assets connecting to your network.	Already deployed at most organizations. Better than spreadsheets.	Can have blind spots, such as shadow IT, third-party systems and line-of-business applications.
Breach and attack simulation (BAS)	Automatically test threat vectors to gain a deeper understanding of security posture vulnerabilities and validate security controls.	Generates reports on security gaps and prioritizes remediation based on risk.	Only focuses on known attacks. Doesn't provide remediation.
Cloud security posture management (CSPM)	Understand changes in cloud configurations.	Provides real-time visibility into cloud configurations.	Doesn't reveal when configurations drift out of compliance or the potential impact of emerging threats.
Configuration management database (CMDB)	Track changes made to systems.	Already deployed at most organizations.	Doesn't reveal when configurations drift out of compliance or the potential impact of emerging threats.
Homegrown approach	Combine spreadsheets, scripts and manual processes to manage attack surface.	Inexpensive or free from a pure cost perspective (overlooking analyst hours).	Time-consuming and error-prone. Not scalable or real-time.
IT asset management (ITAM)	Track and monitor assets through their full lifecycle.	Already deployed at most organizations. Better than spreadsheets.	Only covers known and managed assets while overlooking unknown or unmanaged facets of attack surface.
Penetration testing (e.g., automated penetration testing tools and penetration testing as a service)	Identify vulnerabilities within your network and applications by simulating a cyberattack.	Provides examples of security posture and associated budget priorities.	Only focuses on the first phase of the cyber kill chain: reconnaissance. Also, results are typically point-in-time and only as good as the penetration testers carrying out the simulation.
Red teaming	Provides a comprehensive picture of an organization’s cybersecurity posture by staging a cyberattack simulation against networks, applications, physical safeguards and employees.	Goes beyond penetration testing by focusing on other phases of the cyber kill chain. Also goes beyond digital attack surface and touches on physical and human attack surfaces.	Results are typically point-in-time and only as good as the penetration testers carrying out the simulation.
Threat intelligence	Access information on threats and other cybersecurity issues.	Arms security experts with intelligence on threats and vulnerabilities.	Geared toward organizations with highly mature security operations consisting of skilled personnel and extensive resources.
Vulnerability management tools (e.g., scanners)	Identify and manage vulnerabilities within your infrastructure and applications.	Already deployed at most organizations.	No visibility into unknown assets. Overwhelming amounts of data.

While these methods don’t offer all the capabilities of a purpose-built ASM solution, they still play important roles in an organization’s IT and security practices.

In fact, CAASM tools can’t function without data from asset discovery, ITAM, vulnerability management and/or patch management tools. Similarly, EASM complements the threat intelligence and security testing services listed above.

How do I identify my organization’s physical attack surface?

The first major component of your organization’s physical attack surface overlaps with your digital attack surface. This is referred to as the endpoint attack surface, and it’s composed primarily of all the endpoints that connect to your network: desktop computers, laptop, mobile devices and IoT devices. The tools and techniques you use to discover your digital attack surface apply here, too.

The second major component of your physical attack surface is your offices, data centers and other facilities. Again, techniques already used to identify the digital attack surface overlap with the physical attack surface, too. In this case, that’s the physical penetration testing component of red teaming.

How do I identify my organization’s human attack surface?

Identifying your human attack surface begins by looking at your org chart. Anyone associated with your organization who can access sensitive information — or prevent others from accessing that information — contributes to your human attack surface. That includes not just full-time employees but also part-time employees, board members, contractors, partners, vendors, suppliers, temps and others.

Red teaming, a practice used to identify elements of both the digital and physical attack surfaces, can also be used to identify a major component of the human attack surface: employee susceptibility to social engineering.

Improper user privilege assignment is another major contributor to human attack surfaces. Reviewing the systems and data the people that contribute to your human attack surface have access to, plus the levels of access they possess, is another way you can identify parts of that surface.

I’ve identified my organization’s attack surface. Now what?

Discovering your attack surface is step one on the path to your end goal: remediating the vulnerabilities that pose the greatest risk to your organization. Taken as a whole, this process is called exposure management.

Attack surface discovery, as we’ve already discussed, is one of the foundations of your security strategy — if you don’t know it’s there, you can’t protect it. Exposure management adds one more foundational pillar, which is determining your risk appetite. This defines how much risk your organization is willing to take on in pursuit of your goals. (You can use this editable template for your risk appetite statement.)

With these two foundational elements addressed, you can then assess the vulnerabilities you’ve discovered in your attack surface to determine how much risk they pose for your organization, and whether they are within your risk appetite (a process that we cover in depth in this guide to objective cyber risk assessment).

The vulnerabilities that fall outside your risk appetite are your priorities for remediation, allowing you to focus your efforts where they have the greatest impact.

August 2025 Patch Tuesday

Tue, 12 Aug 2025 22:08:03 Z

Let me start this month off with a question. Have you already decided what you are going to do for your remediation plan this month? Think about it for a second. OS updates, productivity apps, browsers, and other apps are already likely under consideration for your August patch maintenance. The real decisions you need to consider are around timing. Do you proceed with your typical Patch Tuesday plan or do you need to accelerate any zero-days, etc?

What you just thought about was a generalization of defining your risk appetite. There is a lot of discussion across the vulnerability management market about how to modernize vulnerability management. When you think about trends like 32% of 1H 2025 known exploited vulnerabilities (KEVs) being zero-day or 1-day exploits it can feel overwhelming. How do you keep up with a continuous stream of updates? Ideally by defining your outcome and configuring for success.

If we break this month’s Patch Tuesday down into parallel remediation streams:

Routine Maintenance: Much of what just released today will fall into your reoccurring monthly maintenance which typically starts on Patch Tuesday and runs for two weeks or more depending on your SLAs, OS, productivity apps, third-party apps, etc.
Priority updates: Browsers tend to release more frequently (typically weekly) and may warrant a priority update track to keep up with the constant stream of new exposures in your environment. This patch cycle you may be resolving CVEs in multiple browsers from the past four weeks if you don’t have a more frequent update plan in place for the browsers.
Zero-day Response: The recent SharePoint exploits are a good example of the disruptive\unpredictable nature of zero-day exploits.
Continuous Compliance: The three previous tracks could solve most of your remediation challenges, but what about users who are on vacation, leave of absence, got a new system and shipping bypassed the current month’s maintenance window or installed something new that was not the latest version? Defining a baseline and keeping that updated as new updates pass your quality tests would keep your systems in compliance when the multitude of reasons for drift occur.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved one publicly disclosed vulnerability in Windows Kerberos (CVE-2025-53779). The CVE is an Elevation of Privilege vulnerability that could allow an attacker to gain domain admin privileges. The CVE is rated Medium and has a CVSS score of 7.2. The vulnerability only affects Windows Server 2025.

Third-party vulnerabilities

Adobe released thirteen new updates on Patch Tuesday, but the most urgent is the Adobe Experience Manager Forms update released on August 5 resolving two publicly disclosed CVEs (CVE-2025-54253 and CVE-2025-54254). APSB25-82
Google Chrome 139.0.7258 released resolving five CVEs and is rated Critical. This will also affect Microsoft Edge so watch for that update to come likely later this week.

August update priorities

Microsoft SharePoint is the top priority this month to resolve recent zero-day exploits being targeted by multiple nation state level threat actors. Update ASAP.
Adobe Experience Manager Forms update released on August 5 is your second highest priority.
Windows OS and Office have Critical CVEs this month. Get them updated as part of your regular maintenance and you should be good.
Microsoft Exchange Server and SQL Server each received updates. The CVEs were only rated as Important so no need to escalate remediation, but server admins should start to test and rollout within the next month.

July 2025 Patch Tuesday

Tue, 08 Jul 2025 21:17:47 Z

July Patch Tuesday is a sizable one, but no significant security risk. Microsoft resolved 130 new CVEs, including one public disclosure. There are seven additional CVEs from MITRE regarding vulnerabilities in Git resolved through the Visual Studio update this month. Fourteen CVEs are rated Critical by Microsoft, affecting Windows OS, Office, SharePoint, and SQL.

The DHCP issue caused by the June 2025 update appears to be resolved. It is not reported as a known issue for Windows OS KBs, and some quick querying through Gemini agrees the issue appears to be resolved.

Gemini’s response to the query is below:

July update server DHCP issue resolved

Yes, according to information available on July 8, 2025, Microsoft has resolved the DHCP server issue that was caused by the June 2025 security updates.

Key points:

June 2025 updates caused the problem: Microsoft's June 2025 Patch Tuesday updates introduced a bug that could cause the DHCP service to freeze or stop responding on Windows Server 2016 through 2025. This issue prevented some clients from renewing their IP addresses.

Fix released in July updates: Microsoft released Windows updates on July 8, 2025, and subsequent updates that resolve this issue.

Workaround before the fix: Before the July updates were available, the recommended workaround was to uninstall the affected June updates and restart the server, but this left systems vulnerable to security threats patched in those updates.

The Windows Server OS updates this month resolve 16 CVEs in Windows Routing and Remote Access Service (RRAS). These vulnerabilities could allow an unauthenticated attacker to convince a user to initiate a connection to a malicious server that could allow them to execute arbitrary code. The attack would require no privileges and could be exploited over the network. Applying the updates to the OS is the best solution, but additional mitigations like restricting RRAS ports to trusted networks or VPN concentrators can limit exposure, as well as employing firewall rules and disabling unused RRAS features.

Developers have a bit of work to do on their side this month. Microsoft resolved seven CVEs in Git and two additional CVEs that require a Visual studio update this month.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Information Disclosure in Microsoft SQL (CVE-2025-49719), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important, and it has a CVSS v3.1 score of 7.5. The code maturity is unproven, which would indicate no code samples. A risk-based prioritization methodology would warrant treating this as Important.

Third-party vulnerabilities

Google Chrome resolved their fourth zero-day exploit on June 30, so from a risk-based prioritization perspective, Chrome and Edge updates that take the focus leading up to Patch Tuesday. CVE-2025-6554 was resolved in build 138.9.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac and 138.0.7204.92 for Linux, which they indicated would roll out over the coming days/weeks.

Ivanti security advisory

Ivanti has released three updates for July Patch Tuesday resolving a total of 11 CVEs. The affected products include Ivanti Connect Secure and Policy Secure, Ivanti EPMM and Ivanti EPM.

For more details, you can view the updates and information provided in the July Security Update on the Ivanti blog.

July update priorities

The Google Chrome and Microsoft Edge browsers are the top priority this month. Ensure you have deployed the latest updates to resolve the zero-day exploit (CVE-2025-6554) that was identified on June 30.
Windows Server OS updates are likely the biggest security priority this month, especially for those who experienced the DHCP issues after the June update and had to uninstall the June update.

June 2025 Patch Tuesday

Tue, 10 Jun 2025 20:52:28 Z

June Patch Tuesday is upon us. There has been a lot of activity in the past few weeks. Mid-May was the Pwn2Own Berlin 2025 event, and the $1M USD in rewards that were paid out came with many newly discovered vulnerabilities affecting Microsoft, Google, Mozilla, VMware, NVIDIA, Oracle and other vendors. Since the event, there have been several updates from many of these vendors, so expect a lot of third-party updates to update this month from releases leading up to Patch Tuesday.

Microsoft released updates resolving 66 CVEs, nine of which are rated Critical. In addition, there is one public disclosure and one zero-day exploit. Updates this month affect Windows, Office, SharePoint, Visual Studio, and .Net. The zero day and public disclosure are both resolved by the Windows OS update this month.

Third-party updates from Mozilla, Google (including two recent zero-day exploits) and Adobe leading up to Patch Tuesday will add to the load. If your organization is updating applications like browsers on a weekly basis to keep up with continuous release applications commonly used to target end users, you should be up to date on all but Adobe. If not, you will want to ensure to get these queued up for your patch maintenance.

Microsoft exploited vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Web Distributed Authoring and Versioning (WEBDAV) (CVE-2025–33053) which Microsoft has confirmed to be exploited in the wild. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. Risk-based prioritization would treat this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB Client (CVE-2025–33073), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. The code maturity is Proof-of-Concept and the vulnerability is remotely exploitable, which will make this a desirable target for threat actors. A risk-based prioritization methodology would warrant treating this as Critical.

Third-party vulnerabilities

Google Chrome continues their weekly security update cadence. Expect a Chrome update this week to add to the four releases and 14 CVEs resolved since May Patch Tuesday. This includes two zero-day exploits resolved in the past few weeks (CVE-2025–5419 and CVE-2025–4664).

Mozilla has released multiple security updates since the Pwn2Own Berlin event. The two CVEs exploited in the event were resolved in the May 17 release (Firefox 138.0.4) and since then, Mozilla has released Firefox 139 and 139.0.4, as well as updates for Firefox ESR and Thunderbird. Ensure you have the latest Mozilla updates queued up this Patch Tuesday.

Adobe has released updates for Acrobat Reader and six other products, resolving 259 CVEs. 225 of these were included in the Experience Manager update, with hefty contributions from a handful of diligent security researchers.

Ivanti security advisory

Ivanti has released one update for June Patch Tuesday resolving a total of three CVEs. The affected product is Ivanti Workspace Control.

For more details you can view the updates and information provided in the June Security Update on the Ivanti blog.

June update priorities

The Windows OS is the top priority this month with one zero-day exploit (CVE-2025–33053) and one public disclosure (CVE-2025–33073).
Google Chrome should be a top priority if you have not deployed updates for June 2 and earlier, as it will resolve two zero-day exploits (CVE-2025–5419 and CVE-2025–4664).
Browsers in general should be updated weekly to keep up with the continuous release cycle. Edge, Chrome and Firefox received multiple updates since May Patch Tuesday, including multiple high-profile disclosures and zero-day exploits.

May 2025 Patch Tuesday

Tue, 13 May 2025 22:03:04 Z

May Patch Tuesday resolves five actively exploited and two publicly disclosed vulnerabilities. Spoiler alert: all five zero-days are resolved by deploying the Windows OS update. Also, this month Windows 11 and Server 2025 updates include some new AI features, but they carry a lot of baggage. Literally – they are around 4GB! New AI features include Recall, Click to Do and Improved Windows Search.

Microsoft has resolved a total of 72 new CVEs this month, six of which are rated Critical. The five zero-day vulnerabilities are rated Important, but using a risk-adjusted scoring model they would all be rated Critical.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-32709) that could allow an attacker to elevate privileges locally to gain administrator privileges. The vulnerability affects Windows Server 2012 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft resolved a pair of Elevation of Privilege vulnerabilities in Windows’ Common Log File System Drive (CVE-2025-32706 and CVE-2025-32701) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerabilities affect all Windows OS versions. The vulnerabilities are confirmed to be exploited in the wild. Microsoft’s severity rating for both CVEs is Important and CVSS 3.1 of 7.8. Risk-based prioritization warrants treating these vulnerabilities as Critical.

Microsoft resolved an Elevation of Privilege vulnerability in Microsoft DWM Core Library (CVE-2025-30400) that could allow an attacker to elevate privileges locally to gain SYSTEM privileges. The vulnerability affects Windows 10, Server 2016 and later OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft resolved a Memory Corruption vulnerability in Microsoft Scripting Engine (CVE-2025-30397) that could allow an unauthorized attacker to execute code over a network. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft’s severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved a Remote Code Execution vulnerability in Visual Studio (CVE-2025-30397) that could allow an unauthorized attacker to execute code locally. The vulnerability affects Visual Studio 2019 and 2022. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Microsoft resolved an Identity Spoofing vulnerability in Microsoft Defender (CVE-2025-26685) that could allow an unauthorized attacker to perform spoofing over an adjacent network. The vulnerability affects Microsoft Defender for Identity. The vulnerability has been publicly disclosed, but the code maturity was set to Unproven and exploitability assessment is less likely.

Third-party vulnerabilities

Adobe has released 13 updates this month resolving 39 CVEs, 33 of which are Critical. For more details, see Adobe’s Latest Product Security Updates.
Google Chrome is expected to release a weekly update shortly, so keep an eye out.

Ivanti security advisory

Ivanti has released four updates for May Patch Tuesday resolving a total of four CVEs and one CWE. The affected products include Ivanti Neurons for ITSM (on-prem only), Ivanti ICS, Ivanti Neurons for MDM and Ivanti EPMM.

The Ivanti EPMM update resolves a medium and a high CVE that when chained together, successful exploitation could lead to unauthenticated remote code execution. Ivanti is aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

For more details you can view the updates and information provided in the May Security Update on the Ivanti blog and EPMM Security Updated.

May update priorities

Windows OS is your top priority this month with five zero-day exploits reported (CVEs).
Ivanti EPMM customers should apply either of the mitigation options or update as soon as possible.

April 2025 Patch Tuesday

Tue, 08 Apr 2025 21:19:58 Z

April Patch Tuesday appears to be a high count of resolved CVEs, but a low number of high priority risks. Microsoft has resolved 121 new unique CVEs this month, 11 of which are rated critical and one known to be exploited. The zero-day vulnerability is in the Windows OS this month, making that your top priority.

In addition, Adobe has released 12 updates resolving 54 CVEs. Adobe ColdFusion was rated highest (Priority 1) and resolves 15 CVEs. Adobe Commerce and Experience Manager Forms were rated Priority 2 and resolved five CVEs and two CVEs respectively. The rest of the Adobe lineup was Priority 3.

Update your browsers! Google Chrome updated this Patch Tuesday resolving two additional CVEs. On April 1, both Mozilla Firefox and Google Chrome updated. Mozilla Firefox resolved eight CVEs, and Chrome resolved thirteen CVEs. Microsoft Edge (Chromium) updated on April 3 in response to the April 1 Chrome update, which means we will have an additional Edge update coming later this week.

Oracle is due to release their quarterly CPU on April 15, so keep an eye out for Oracle updates including Java, which will kick off the domino effect of alternative Java frameworks getting updates through the end of April and into early May.

Microsoft exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2025-29824) that could allow an attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all Windows OS versions. The vulnerability is confirmed to be exploited in the wild. Microsoft severity is rated as Important and has CVSS 3.1 of 7.8. Risk-based prioritization warrants treating this vulnerability as Critical.

Third-party vulnerabilities

Adobe released updates for most of the Creative Suite including After Effects, Animate, Bridge, Illustrator, Media Encoder, Photoshop and Premiere Pro.
Google Chrome released an update resolving two CVEs. Expect Edge to be released later this week.
Oracle’s quarterly CPU is scheduled for April 15, 2025. Expect updates for a number of Oracle products, but this release will also kick off the domino effect on all Java frameworks like RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others.

Ivanti security advisory

Ivanti has released one update for April Patch Tuesday resolving a total of six CVEs. The affected products include Ivanti EPM 2022 and EPM 2024. For more details you can view the updates and information provided in the April Security Update on the Ivanti blog.

April update priorities

The Windows OS is your top priority this month, with the only zero-day exploit reported (CVE-2025-29824).
Update all of your browsers! Last week Mozilla, Chrome and Edge received updates, and an additional Chrome update was released on Patch Tuesday. If you have not already, you should consider moving browser updates to a weekly cadence to reduce exposure time, as Chrome and Edge will receive weekly updates, and Firefox typically has two to three updates per month.
Expect Oracle updates on April 15 and additional updates for Java frameworks over the next few weeks.

March 2025 Patch Tuesday

Tue, 11 Mar 2025 21:27:51 Z

Here in the Midwest US, we have a saying about March, “In like a lion, out like a lamb.” This is in reference to the month starting with strong winter weather and letting off as the month progresses. In fact, we just had a blizzard that dropped 9-12 inches of snow across most of the region overnight, but a week later I see grass and sunny skies and have shed the winter coat!

At first glance, March Patch Tuesday looks like a lamb, but this lamb might have the teeth of a lion. The standard lineup of updates resolves 57 CVEs across the Windows OS, Office, .Net and Visual Studio, with a couple of Azure component updates in the mix. Google Chrome updated in the lead up to Patch Tuesday (March 10 update), and Adobe released seven updates, including Adobe Acrobat and Acrobat Reader.

Now let’s talk teeth. There are seven known exploited CVEs for the March lineup.

Microsoft resolved six known exploited CVEs. The zero-day exploits affect the Microsoft Management Console, NTFS, Fast FAT, and the Win32 Kernel Subsystem. All six exploits are rated Important with CVSS scores ranging from 4.6 to 7.8. The good news is all six are resolved by the March Windows OS update, so the majority of the immediate risk is resolved by that one update.
Google resolved one known exploited CVE (CVE-2025-24201), which according to the release notes from Google is an out of bounds write-in GPU on Mac reported by the Apple Security Engineering and Architecture (SEAR) team – so likely only a concern for Mac users. (Based on Microsoft’s release notes, it looks like Edge has not resolved the five CVEs in the March 10 release.)

Microsoft exploited vulnerabilities

Microsoft has resolved a Security Feature Bypass in Microsoft Management Console (CVE-2025-26633). The vulnerability is rated Important and has a CVSSv3.1 score of 7.0. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker would need to take additional actions to prepare the target environment for exploitation, but the vulnerability allows for a variety of user-targeted tactics to exploit, including instant message, email and web-based attacks scenarios. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Remote Code Execution vulnerability in Windows NTFS (CVE-2025-24993). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Information Disclosure vulnerability in Windows NTFS (CVE-2025-24991). The vulnerability is rated Important and has a CVSSv3.1 score of 5.5. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Remote Code Execution vulnerability in Windows Fast FAT File System Driver (CVE-2025-24985). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Information Disclosure in Windows NTFS (CVE-2025-24984). The vulnerability is rated Important and has a CVSSv3.1 score of 4.6. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Win32 Kernel Subsystem (CVE-2025-24983). The vulnerability is rated Important and has a CVSSv3.1 score of 7.0. The vulnerability affects older Windows editions including Windows 10 and Server 2008 to Server 2016. Microsoft has confirmed that this CVE is exploited in the wild. If exploited, the attacker could gain SYSTEM-level privileges. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Microsoft Access (CVE-2025-26630). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects Microsoft Access 2016, Office 2019, Office LTSC 2021 and 2024, and Microsoft 365 Apps for Enterprise. Microsoft has confirmed that this CVE has been publicly disclosed, but the code maturity is set to be unproven. The disclosure could provide attackers with some additional information to formulate an exploit, but the lack of code samples will increase their efforts. Risk-based prioritization would indicate a slightly higher risk for a disclosure without functional code, but not enough to bump this CVE up to Critical.

Third-party vulnerabilities 

Google Chrome released updates on March 10 resolving five CVEs, including one known exploited CVE (CVE-2025-24201). The exploit is documented as an out of bounds write-in GPU on Mac. The priority is higher for macOS than Windows for this update.
Adobe released seven updates resolving 37 CVEs. The updates affect Adobe Acrobat and Reader, Illustrator, InDesign, Substance 3D Sampler, Painter, Modeler and Designer. All seven updates are rated priority three and can be handled in the course of your monthly update activities.

Ivanti security advisory

Ivanti has released two updates for the March Patch Tuesday resolving a total of two CVEs. The affected products are Ivanti Secure Access Client (ISAC) and Ivanti Neurons for MDM (N-MDM). For more details you can view the updates and information provided in the March Security Update on the Ivanti blog.

March update priorities

The Windows OS update is the top priority update this month resolving six known exploited CVEs.
The March 10 Google Chrome update resolves one known exploited vulnerability on macOS, making the macOS Chrome update a priority.

February 2025 Patch Tuesday

Tue, 11 Feb 2025 22:45:40 Z

February Patch Tuesday is ramping up with releases from Adobe and Microsoft and an expected release from Google. Adobe resolved 45 CVEs across seven updates. The largest and highest priority is Adobe Commerce, which resolves 30 CVEs. Microsoft is coming down off a huge January release and only resolved 56 new CVEs this February. There are two new zero-day exploits and a revised Secure Boot zero-day in the mix, making the Windows OS a top priority this month.

Microsoft exploited vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-21418). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker who exploited this vulnerability could gain SYSTEM privileges. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Storage (CVE-2025-21391). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Windows 10 to 11 and Server 2016 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has revised the previously resolved Security Feature Bypass in Secure Boot (CVE-2023-24932). The vulnerability is rated Important and has a CVSSv3.1 score of 6.7. The vulnerability was updated to include Windows 11 24H2 and Server 2025 as they are also affected by this known exploited and publicly exploited vulnerability. Additionally, Microsoft has released a more comprehensive update to all affected versions to fully protect against this vulnerability. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Spoofing Vulnerability in NTLM Hash Disclosure (CVE-2025-21377). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is publicly disclosed. The temporal metrics indicate Exploit Code Maturity is Functional, further increasing the risk of exploitation. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Security Feature Bypass in Microsoft Surface (CVE-2025-21194). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Microsoft Surface and Surface Dev Kit systems. Microsoft has confirmed that this vulnerability is publicly disclosed, but the code maturity is unproven.

Third-party vulnerabilities

Adobe released updates for InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements, resolving a total of 45 CVEs. Six of the updates are Priority 3. Adobe Commerce is set to Priority 1. The Commerce update resolves 30 of the 45 total CVEs Adobe resolved this month and warrants more immediate attention.

Google Chrome is expected to update later today, which will trigger updates for Chromium-based browsers including Microsoft Edge, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Ivanti security advisory

Ivanti has released five product updates resolving 11 CVEs, four of which are Critical. The affected products include Ivanti Cloud Service Application, Ivanti Neurons for MDM, Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Secure Access Client. At the time of release, Ivanti is not aware of any exploitation or public discloses for the 11 resolved CVEs. For more information, see the February Security Advisory page.

February update priorities

Microsoft Windows is the top priority this month, with three known exploited CVEs, two publicly disclosed vulnerabilities resolved and two Critical CVEs.
Browsers are a prime target for attackers to target users. While including browsers in your monthly update process is recommended, it leaves a lot of CVEs exposed in between cycles. It’s recommended to move browsers to a weekly Priority Updates cadence. Mozilla Firefox releases two to three times a month. Google Chrome has been releasing security updates weekly since August 2023. The Chromium-based Microsoft Edge has also been releasing weekly. Updating all browsers on a weekly basis is recommended to keep up with the steady stream of security fixes.

January 2025 Patch Tuesday

Tue, 14 Jan 2025 23:35:11 Z

Microsoft has released updates resolving 159 unique CVEs for January. Among the lineup are three zero-day exploits and five publicly disclosed vulnerabilities. The exploited CVEs are all targeting Windows Hyper-V NT Kernel Integration VSP, making the OS update this month your most urgent priority. The public disclosures impact Windows Themes, Windows App Package Installer and three CVEs for Microsoft Access. There are 10 CVEs rated Critical affecting the components of the Windows OS and Microsoft Excel.

Microsoft exploited vulnerabilities

Microsoft has resolved three Elevation of Privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335). All three vulnerabilities are rated Important and each has a CVSSv3.1 score of 7.8. These vulnerabilities affect Microsoft Windows versions 10, 11 and Server 2025. Microsoft is aware of exploitation of these vulnerabilities. Risk-based prioritization warrants treating these vulnerabilities as Critical.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Spoofing Vulnerability in Windows Themes (CVE-2025-21308). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects Windows 10 and 11 as well as Server 2012 up to Server 2025. The CVE has been publicly disclosed, increasing the risk of exploitation. There are mitigations that could reduce the risk of this vulnerability or future security risks. For more details, refer to the Mitigations section of the CVE page.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows App Package Installer (CVE-2025-21275). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects Microsoft Windows versions 10, 11, and Server 2025. If exploited, an attacker could gain SYSTEM level privileges. The CVE has been publicly disclosed, increasing the risk of exploitation.

Microsoft has resolved three Remote Code Execution vulnerabilities in Microsoft Access (CVE-2025-21186, CVE-2025-21395 and CVE-2025-21366). All three vulnerabilities are rated Important and each has a CVSSv3.1 score of 7.8. The vulnerabilities affect Microsoft Office 2019, Access 2016, Office LTSC 2021 and 2024 and Microsoft 365 Apps. The CVEs have been publicly disclosed, increasing the risk of exploitation.

Third-party vulnerabilities

Oracle’s Quarterly CPU is scheduled to release on January 21, so be prepared for updates for Oracle solutions, including Java. Once the Java release is out, expect all of the Java-based frameworks to update over the next few weeks.

Adobe has released updates for Photoshop, Substance 3D Stager, Illustrator on iPad, Animate and Substance 3D Designer, resolving a total of 14 CVEs. All of the CVEs resolved are rated as Critical, but no exploitation or disclosures have been reported.

Expect Google Chrome’s weekly security update today or tomorrow along with an update for Microsoft Edge shortly after.

Ivanti security advisory

Ivanti has released three product updates resolving 20 CVEs. The affected products include Ivanti Avalanche, Ivanti Application Control Engine and Ivanti Endpoint Manager. Ivanti is not aware of any exploitation or public disclosures for the 20 resolved CVEs. For more information, see the January Patch Tuesday Security Advisory page.

January update priorities:

Microsoft Windows is the top priority this month, with three known exploited CVEs, two publicly disclosed vulnerabilities resolved and eight Critical CVEs.
Microsoft Office is next in priority from a risk-based perspective. The update this month resolved three publicly disclosed CVEs in Access and two Critical CVEs in Excel. The two Excel CVEs could use the Preview Pane as an attack vector, making them ideal targets for threat actors.
Ensure your browsers are all up to date. Mozilla released last week and Google Chrome and Microsoft Edge update weekly with security fixes.