Missing Security Patches

Missing security patches refer to systems that have not been updated with vendor-released security fixes for known vulnerabilities. Unlike outdated software (which has reached end-of-life), systems with missing patches are running supported software versions but have not had available updates applied in a timely manner. This gap between patch availability and patch deployment creates a window of vulnerability that attackers actively exploit, often within hours or days of a patch being released through analysis of the patch diff (known as "n-day" exploitation).

Patch management is a perennial challenge for organisations of all sizes. Enterprise environments typically contain thousands of systems running diverse operating systems, applications, and firmware versions, each with their own patching cadence and dependencies. Common reasons for delayed patching include concerns about system stability, application compatibility, the operational overhead of testing and deploying patches, maintenance window constraints, and simply a lack of mature patch management processes. The result is that many organisations have a significant number of systems missing critical patches at any given time.

The severity of missing patches is amplified by the modern threat landscape. Vulnerability exploitation is increasingly rapid: researchers have documented cases where exploit code appears within 24 hours of a patch release. Ransomware groups, nation-state actors, and initial access brokers all prioritise targeting recently patched vulnerabilities, knowing that many organisations lag behind on patch deployment. High-profile examples include the exploitation of Microsoft Exchange ProxyShell/ProxyLogon vulnerabilities, Log4Shell, and PrintNightmare, where widespread exploitation occurred while many systems remained unpatched.

Attackers identify missing patches through both passive and active reconnaissance. Passive methods include monitoring vendor security advisories, CVE databases, and security mailing lists to identify newly disclosed vulnerabilities and their affected software versions. Active methods involve scanning target systems to determine their exact patch level. Version-specific probes, authenticated vulnerability scans, and banner analysis can reveal which patches have and have not been applied. For Windows systems, tools like CrackMapExec can remotely enumerate the OS build number, which directly maps to specific cumulative update levels.

Once a missing patch is identified, the attacker obtains or develops an exploit. For widely deployed software (Windows, Exchange, Apache, etc.), exploit modules are frequently available in Metasploit, published on Exploit-DB, or sold through vulnerability brokers. The attacker may also perform "patch diffing" - comparing the patched and unpatched versions of a binary to understand exactly what vulnerability was fixed and reverse-engineer an exploit. Tools like BinDiff, Ghidra, and IDA Pro facilitate this process. For example, analysing the binary changes in a Windows cumulative update can reveal the specific vulnerable code paths that the patch addresses.

The exploitation of missing patches often provides significant access. Remote code execution (RCE) vulnerabilities allow the attacker to execute arbitrary commands on the target without authentication. Privilege escalation vulnerabilities enable an attacker with limited access to gain SYSTEM or root privileges. Authentication bypass vulnerabilities allow circumventing login mechanisms entirely. The most dangerous are pre-authentication RCE vulnerabilities in internet-facing services, which can be exploited from the internet without any credentials. Notable examples include EternalBlue (MS17-010) for SMBv1, BlueKeep (CVE-2019-0708) for RDP, ProxyShell for Exchange, and various Apache Struts RCE vulnerabilities.

• Remote code execution on unpatched systems, potentially without authentication, granting the attacker complete control
• Privilege escalation from low-privileged access to SYSTEM/root through local exploits targeting unpatched kernel or service vulnerabilities
• Mass exploitation during vulnerability outbreaks (e.g., WannaCry, NotPetya, Log4Shell) affecting all unpatched systems simultaneously
• Initial access for ransomware operators who specifically target known vulnerabilities with available patches
• Data breach through exploitation of unpatched web servers, application servers, or database platforms
• Regulatory fines and compliance failures, as most frameworks mandate timely patch application (PCI DSS Requirement 6.3, HIPAA, SOX)
• Supply chain compromise when unpatched partner or vendor systems are exploited to access the target organisation
• Reputational damage from breaches attributable to known, patched vulnerabilities that the organisation failed to address

1. Implement an enterprise patch management solution (WSUS, SCCM, Intune, Ansible, Puppet, or commercial solutions like Ivanti, ManageEngine, or Automox) to automate patch deployment across all operating systems and applications
2. Establish risk-based patch prioritisation using CVSS scores, EPSS (Exploit Prediction Scoring System), and CISA KEV (Known Exploited Vulnerabilities) catalog to focus on the most dangerous vulnerabilities first
3. Define and enforce patch SLAs based on severity: critical/actively exploited vulnerabilities within 48-72 hours, high severity within 7 days, medium within 30 days, and low within 90 days
4. Create a dedicated patch testing environment that mirrors production to validate patches before deployment, reducing the risk of stability issues that cause patching delays
5. Implement emergency patching procedures for zero-day and actively exploited vulnerabilities that bypass normal change management timelines, with pre-authorised emergency change windows
6. Deploy compensating controls (WAF rules, IPS signatures, EDR custom rules, network-level blocking) as temporary mitigations for vulnerabilities that cannot be immediately patched
7. Conduct monthly vulnerability scanning with authenticated scans (using tools like Nessus, Qualys, or Rapid7) to measure patch compliance and identify gaps across the environment
8. Generate and review patch compliance reports weekly, with executive dashboards showing the percentage of systems within SLA for each severity level, and track remediation trends over time

Comprehensive patch assessment requires authenticated vulnerability scanning, as unauthenticated scans can only infer patch levels from service banners and may produce false positives or negatives. Deploy Nessus, Qualys, or Rapid7 InsightVM with administrative credentials for each target platform (domain admin for Windows, root/sudo for Linux) to perform thorough credentialed scans. Configure scan policies to include all CVE checks and plugin families. For Windows environments, the Nessus "Microsoft Windows: Microsoft Bulletins" plugin family provides detailed patch-level assessment. For Linux, distribution-specific update checks (e.g., "Ubuntu Local Security Checks", "Red Hat Local Security Checks") identify missing packages.

For manual or targeted patch assessment, use Nmap version detection: nmap -sV -sC --version-all -p- target and correlate versions against known vulnerabilities. On Windows targets with credentials, enumerate the installed KB articles: wmic qfe list full or PowerShell Get-HotFix, then compare against the latest cumulative update for that Windows version. CrackMapExec can extract OS build numbers remotely: crackmapexec smb target - the build number (e.g., 10.0.17763.5329) maps to a specific patch level. For Linux, check installed package versions against the distribution's security tracker (e.g., Ubuntu USN, Red Hat RHSA).

When missing critical patches are identified, attempt to validate exploitability where authorised. Use Metasploit's search command to find relevant exploit modules: search cve:2021-34473 (ProxyShell) or search ms17-010 (EternalBlue). For each missing patch, document the CVE identifiers, CVSS scores, whether the vulnerability is listed in the CISA KEV catalog (indicating active exploitation in the wild), the number of days since the patch was made available, and the specific systems affected. Produce a prioritised remediation report ordering findings by exploitability (active exploitation > public exploit available > theoretical) and severity, enabling the organisation to focus resources on the most urgent patches.