Patching Frequency for Zero-Day Vulnerabilities is Deteriorating

Written by Robert Hannigan, Head of BlueVoyant International Business

Employing good patch management practices and regularly applying updates to software drivers and firmware to protect your systems against vulnerabilities seems an obvious step towards keeping your infrastructure protected and secure. Effective patch management also helps ensure the best operating performance of systems and boosts productivity. Yet, not every organisation is keeping up with zero-days, also known as emerging vulnerabilities.

Good patching hygiene – especially around zero-day vulnerabilities – isn’t a given, according to BlueVoyant’s latest External Cyber Defence Trends report

On the face of it, patching would appear one of the easier concerns to quickly address and remedy these issues. Here, we have analysed the issue and why poor patching practices persist as a problem.

An upswing in unpatched zero-day vulnerabilities

Our report indicated a continued upswing in unpatched zero-day vulnerabilities or emerging vulnerabilities. This first came to light in our 2023 report, where we identified that slow patching rates for newly disclosed vulnerabilities were a problem. However, this year the threat appears to have got worse, with our data confirming that patching cadence has become an even more pressing issue.

Below we delve into one example – the Protocol (WS_FTP) Zero-Day Vulnerability.

In September 2023, a critical zero-day vulnerability was identified in Progress Software’s WS_FTP Server, affecting all versions prior to 8.7.4, and 8.8.2. It allowed an attacker to execute remote commands on the underlying operating system of the server. An attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable server.

This vulnerability was one of eight identified impacting WS_FTP software announced by Progress Software on 27th September 2023. Progress promptly acknowledged the vulnerability and released patches to address them.

Our threat intelligence team has discovered that the time between the announcement of zero-day vulnerabilities, and their subsequent exploitation by threat actors, has continued to decrease. This suggests that adversaries are increasingly prepared to immediately capitalise on newly discovered vulnerabilities, prompting a high-stakes race between threat actors and defenders after a disclosure.

Having the ability to view which organisations have exploitable vulnerabilities indicates that the patching cadence for newly discovered zero-day vulnerabilities is far from ideal, with more than 65% of emerging vulnerabilities still being exposed 14 days after disclosure.

The importance of third-party monitoring systems

In many instances, organisations are unable to patch systems in a timely manner, leading to a prolonged period of exposure that threat actors can easily take advantage of. This situation is aggravated when the vulnerability in question is a newly disclosed, high-profile zero-day vulnerability, as the lack of prior knowledge makes it difficult for organisations to respond swiftly and comprehensively.

However, the incorporation of third-party monitoring systems can significantly enhance an organisation’s situational awareness, leading to faster patching rates. By identifying all critical suppliers impacted by emerging vulnerabilities, organisations can gain a strategic advantage. This proactive approach allows them to guide mitigation efforts at each vendor affected, ensuring a coordinated and effective response. The difference is significant when analysing the patching cadences for companies that have their third parties under continuous monitoring and observation versus those that do not.

Speed and coverage are paramount in this context. The announcement of newly discovered zero-day vulnerabilities initiates a race, and adversaries immediately begin building capabilities to identify and exploit entities within the supply chain.

This necessitates ongoing monitoring and the identification of all critical suppliers affected by emerging vulnerabilities, as well as the follow-up on remediation efforts to ensure that all vulnerabilities are addressed promptly. By staying ahead in this race, organisations can significantly reduce their exposure to threats, reinforcing their external cyber defences in an increasingly volatile threat landscape.

Risk reduction best practices

Organisations should follow the below best practices for reducing patching risk of zero-day vulnerabilities:

  • Ensure timely and effective patching across your organisation and your third-party ecosystem. Effective patching not only safeguards your organisation, but also provides a defence for those engaging with you.
  • Leverage continuous monitoring services to easily identify vulnerable instances of newly disclosed vulnerabilities in your third parties and take steps to ensure that those third parties are made aware of those instances.
  • Follow up with third parties to confirm that patching and vulnerability closures have been carried out.
  • Externally facing assets are the most vulnerable first line of attack vectors, so ensuring that known vulnerabilities are patched in those assets is going to serve an organisation best in terms of resource allocation for reducing risk.

Ultimately attackers can use a zero-day vulnerability to steal critical and sensitive data. They may use this data to steal money or sell it to other criminals on the dark web, commit identity theft or extort their victim.

Good patching cadence will limit the risk, so we would strongly urge organisations to prioritise zero-day patching and to look at leveraging continuous monitoring services to quickly identify instances of newly disclosed vulnerabilities.