In November 2024, during Operation Lunar Peek, attackers were able to gain unauthenticated remote admin access and eventually root access to over 13,000 exposed Palo Alto Networks management interfaces. This breach was a result of vulnerabilities scored at 9.3 and 6.9 under CVSS v4.0, and at 9.8 and 7.2 under CVSS v3.1, showcasing the discrepancies in scoring systems. The lower score of 6.9 fell below patch thresholds, while the higher score of 9.3 was queued for maintenance. This disconnect in scoring systems allowed adversaries to exploit the vulnerabilities by chaining them together.
Adam Meyers, the Senior Vice President of Counter Adversary Operations at CrowdStrike, highlighted the flaw in triage logic that failed to recognize the chain of vulnerabilities. This incident shed light on the limitations of scoring vulnerabilities individually, as adversaries often exploit multiple vulnerabilities in a sequence.
The article delves into five triage failure classes that CVSS was not designed to catch. Firstly, the concept of chained CVEs, where vulnerabilities may appear safe in isolation but can be exploited when combined. Secondly, nation-state adversaries who weaponize patches within days of disclosure, exploiting vulnerabilities before organizations can patch them. Thirdly, stockpiled CVEs used by adversaries over extended periods, as seen in the Salt Typhoon attack on U.S. political figures. Fourthly, identity gaps that fall outside the scoring system, such as human process vulnerabilities like social engineering attacks. Finally, the challenge of AI-accelerated discovery overwhelming existing vulnerability management pipelines.
The article also discusses the exponential increase in CVE disclosures, with projections reaching 70,135 for 2026. This surge in vulnerabilities poses a significant challenge to existing scoring systems and vulnerability management processes. The need for a more holistic approach to prioritizing and addressing vulnerabilities is emphasized, moving beyond the limitations of CVSS scores.
To address the growing volume of vulnerabilities, CrowdStrike launched Project QuiltWorks, a remediation coalition formed with leading cybersecurity firms and AI experts. This initiative aims to tackle the influx of vulnerabilities generated by frontier AI models and enhance remediation efforts in response to the evolving threat landscape. In the realm of cybersecurity, when five major companies come together to address a pipeline issue, it becomes apparent that no single organization’s patch workflow can keep up with the rapid pace of evolving threats. This collaboration highlights the importance of a unified approach to tackling security vulnerabilities.
As a security director, it is crucial to take specific actions to address the various failure classes identified in the coalition’s efforts. These actions are designed to enhance the organization’s security posture and mitigate potential risks effectively.
The first action is to conduct a thorough chain-dependency audit on every Key Exploit Vector (KEV) Common Vulnerabilities and Exposures (CVE) in the environment within a month. Identifying co-resident CVEs with a score of 5.0 or above is essential, as these vulnerabilities often lead to privilege escalation and lateral movement within the network. Any pair of vulnerabilities chaining authentication bypass to privilege escalation should be prioritized as critical, regardless of their individual scores.
Next, it is crucial to streamline the KEV-to-patch Service Level Agreements (SLAs) for internet-facing systems to 72 hours. The data presented in the CrowdStrike 2026 Global Threat Report emphasizes the need for quick patching to prevent potential exploits. Weekly patch windows are no longer defensible in the face of evolving cyber threats.
Creating a monthly KEV aging report for the board is another essential action. This report should include details on every unpatched KEV CVE, the number of days since disclosure, days since patch availability, and the responsible owner. The Salt Typhoon incident, where a Cisco CVE was exploited 14 months after a patch was available, highlights the importance of addressing aging exposures promptly.
Implementing identity-surface controls in the vulnerability reporting pipeline is also crucial. Authentication gaps in help desk systems and AI credential inventories need to be addressed within the same governance framework as software vulnerabilities. Siloed governance structures can lead to oversight and increased risk exposure.
Lastly, stress-testing the pipeline capacity at 1.5x and 10x the current CVE volume is essential. With projections estimating a significant increase in CVE volume in the coming years, it is vital to identify and address any capacity gaps proactively. Presenting this information to the CFO before the next budget cycle can help secure necessary resources to enhance the organization’s security infrastructure.
By taking these specific actions, security directors can strengthen their organization’s security posture and effectively address the challenges posed by evolving cyber threats. Collaboration and proactive measures are key to staying ahead of potential vulnerabilities and mitigating risks effectively.