Adversaries, from cybercrime gangs to nation-state cyberattack teams, are fine-tuning weaponized AI with the goal of defeating new patches in 3 days or less.
The faster the attack, the more time there is to explore the victim’s network, exfiltrate data, install ransomware, or set up reconnaissance that will last for months or years. Traditional manual debugging is now a burden, leaving internal organizations defenseless against weaponized AI attacks
"Threat actors are reverse-engineering patches, and the speed at which they do this has been greatly enhanced by AI." Mike Reimer, Senior Vice President of the Network Security Group and Field Information Security Director at Ivanti He told VentureBeat in a recent interview. "They are able to reverse engineer the patch within 72 hours. So, if you release a patch and the customer doesn’t release the patch within 72 hours of that release, they will be vulnerable to exploitation."
This is not theoretical speculation. It’s this hard reality that forces vendors to completely redesign their security infrastructure from the core up. Last week, Ivanti released Connect Secure (ICS) version 25.X, which Riemer calls "Concrete evidence" Due to the company’s commitment to confront this threat directly.
in Def Con 33 Researchers from Amber Wolf This threat proved real, demonstrating its complete authentication bypasses Zscaler, Netscopeand Check Point by exploiting vulnerabilities that have been around for months, including Zscaler’s failure to validate SAML assertions (CVE-2025-54982), Netskope’s credential-free OrgKey access, and Check Point’s encrypted SFTP keys exposing tenant records were all flaws that were left open and exploitable for more than 16 months after the initial disclosure.
Why Kernel Security Matters
The kernel is the central coordinator of everything that happens in a computing device, controlling memory, processes, and hardware.
If an attacker compromises the kernel, they have seized full control of a device that could potentially compromise the entire network. Any other layer of security, application, platform, or protection is immediately bypassed as attackers take control of the kernel.
Almost all operating systems are based on the concept Enforcement of franchise episodes. Applications run in user mode with limited access. The kernel runs in kernel mode with full control. When adversaries break this barrier, they have gained access to what many security researchers consider the holy grail of vulnerabilities of entire systems and networks.
The new version of Ivanti addresses this reality head-on. Connect Secure 25. The solution includes secure boot protection, disk encryption, key management, a secure factory reset, a modern secure web server, and a web application firewall (WAF), all designed to secure key aspects of the system and significantly deter external threats.
"In the past year, we have significantly advanced our Secure by Design strategy, translating our commitment into real action through significant investments and an expanded security team," Rimmer explained. "This release represents tangible evidence of our commitment. We listened to our customers, invested in both technology and talent, and updated Ivanti Connect Secure to provide the flexibility and peace of mind our customers expect and deserve."
From operating system loops to deployment loops: a more complete defense strategy
While OS loops define privilege levels, modern patch management has adopted its own loop strategy to combat the 72-hour exploit window.
Publish the episode It provides an incremental, automated patching strategy that gradually deploys updates: a test loop for core IT validation, an early adopter loop for compatibility testing, and a production loop for enterprise-wide deployment.
This approach addresses the speed crisis head-on. Deploying the loop achieves a 99% patch success rate within 24 hours on up to 100,000 computers, according to Gartner Research. Ponemon Institute Research shows that organizations take an alarming average of 43 days to detect cyberattacks even after a patch is released.
Jesse Miller, Senior Vice President and Director of Information Technology at South Star Bankconfirmed: "When judging the impact of something, you need to take everything from current events, your industry, your environment, and more into the equation." His team Ring propagation is used to reduce the attack surface as quickly as possible.
Attackers are aggressively exploiting legacy vulnerabilities, with 76% of vulnerabilities reported to have been exploited by ransomware between 2010 and 2019. When kernel access is at stake, every hour of delay multiplies the risk exponentially.
The kernel’s dilemma revolves around balancing security and stability
At CrowdStrike’s FalCon conference, Alex Ionescu, chief technology innovation officer, explained the problem: "It’s now clear that if you want to protect against the bad guys, you need to work in the kernel. But to do so, the reliability of your device is compromised."
The industry is responding with fundamental shifts:
-
Forces multi-year changes for each Windows security resource
-
For safer kernel tools
-
Apple Endpoint Security Framework
Enables user mode operation
Authentication bypass occurs when the kernel is compromised
Amber Wolf The researchers spent seven months analyzing We committed adultery products. Zscaler Validation failed SAML assertions (CVE-2024-54982). Netscope Authentication can be bypassed using non-revocable OrgKey values. Checkpoint It was encrypted sftp keys (CVE-2025-3831).
These vulnerabilities have been around for months. Some vendors have quietly patched up without serious challenges. As of August 2025, 16 months after the disclosure, many organizations are still using exploitable configurations.
Lessons learned from compressing 3 years of kernel security into 18 months
When nation-state attackers exploited Ivanti Connect Secure in January 2024, they validated Ivanti’s decision to rapidly advance its kernel-level security strategy, compressing a three-year project into just 18 months. As Reimer explained, "We have already completed the first phase of the core strengthening project before the attack. This allowed us to quickly pivot and accelerate our roadmap.
Key achievements included:
-
Migrating to Oracle Linux 64-bit:
Ivanti replaced the legacy 32-bit CentOS operating system with Oracle Linux 9, significantly reducing known vulnerabilities associated with legacy open source components.
-
Custom SELinux enforcement:
Implementing strict SELinux policies initially broke a large number of product features, requiring careful refactoring without compromising security standards. The resulting solution is now running in always-on execution mode, Rimmer explained.
-
Process of revoking privileges and secure boot using TPM:
Ivanti has removed root privileges from critical processes and integrated secure booting based on TPM and RSA encryption, ensuring continuous integrity checks, in line with AmberWolf research recommendations and findings.
There have also been a series of independent penetration testing initiatives, each of which has confirmed no successful compromises, with threat actors typically abandoning their attempts within three days.
Riemer explained to VentureBeat that agents of the global intelligence community were actively monitoring threat actors investigating the hardened systems. "They tried the old one TTPscentered around web server exploitation. They pretty much gave up after about three days," Rimmer said.
The decision to move to the kernel level was not a panic response. "We already had plans in place in 2023 to address this before we were attacked;" Rimmer said. The conversation that decided the decision took place in Washington, DC. "I sat down with an IT director at a federal agency and asked him frankly: Will there be a need for the US government to have an on-premises L3 VPN solution in the future?" Remer recalls. "His response was that there would always be a mission need for a local L3 VPN type solution in order to give encrypted communications access to the warfighter."
The future beyond kernel security includes eBPF and behavior monitoring
Gartner Emerging Technology Impact Radar: Cloud Security Report Rates eBPF As there is "High" Block with 1-3 years for early majority adoption. "Using eBPF allows for enhanced visibility and security without relying solely on kernel-level proxies." Gartner notes.
The majority of cybersecurity security vendors invest heavily in eBPF. "Today, almost our entire customer base works Falcon sensor On top eBPF," Ionescu said during his keynote at this year’s Fal.Con. "We have been part of that journey eBPF Foundation Members."
Palo Alto Networks It has also emerged as a major player in eBPF-based security, investing heavily in its technology Cortex XDR and Prisma Cloud Platforms. This architectural transformation allows Palo Alto Networks To provide deep visibility into system calls, network traffic, and process execution while maintaining system reliability.
Convergence Crowd Strike, Palo Alto Networksand other major vendors of eBPF technology signal a fundamental shift – providing the visibility security teams need without the risk of catastrophic failure.
Defensive strategies that work
Patching is often relegated to one of those tasks that are procrastinated on because many security teams are under-resourced and facing a chronic lack of time. These are the conditions that adversaries rely on when they choose victims.
It is certain that if a company does not prioritize cybersecurity, it will take months or even years before a patch is made. This is what opponents are looking for. Patterns emerge from different victim industries and share a common trait of procrastination on system maintenance in general and security patterns in particular.
Based on interviews with victims of breaches that began with patches that were sometimes years old, VentureBeat saw the following immediate steps they take to reduce the likelihood of being struck again:
Automate debugging instantly. Menstrual cycles are outdated. tony miller, Ivanti The Vice President of Enterprise Services confirmed Deploying the loop eliminates the clutter of interactive debugging This leaves organizations vulnerable during the critical 72-hour period.
Kernel-level security audit. Ask sellers about it eBPF/ESF/lock of hair Migration plans and timelines.
Class defenses. This is important for any cybersecurity strategy but is crucial to getting it right. "Be it that SELinux Configuration, avoiding root privileges, an updated web server, or Waf– Stopped all layer attacks," Rimmer said.
Demanding transparency. "Another vendor was attacked in November 2023. This information was not available until August 2024." Rimmer revealed. "This is why Ivanti He was very public about transparency."
Bottom line
Kernel-level conversion is not optional. It’s survival when AI uses vulnerabilities as a weapon in three days.
Ivanti Connect Secure 25.X represents what is possible when a vendor fully commits to kernel-level security, not as a reactive measure, but as a fundamental architectural principle. Gartner Assumption of strategic planning is realistic: "By 2030, at least 80% of projects Windows Endpoints will still rely on hybrid endpoint protections, which increases the attack surface and requires strict validation."
Organizations must leverage what they can now, automate immediately, and prepare for architectural disruption. like Gartner confirms, Combined loop diffusion and integrated compensatory controls Included Endpoint protection platforms, Multi-factor authenticationand Network segmentation As part of a broader Zero Trust Framework Ensures that security teams can minimize windows of exposure.
[og_img]
Source link