Adversaries from cybercrime gangs to nation-state cyberattack squads are fine-tuning weaponized AI with the objective of defeating new patches in 3 days or much less.
The faster the assault, the extra time to discover a sufferer’s community, exfiltrate knowledge, set up ransomware or arrange reconnaissance that can final for months or years. Conventional, handbook patching is now a legal responsibility, rendering enter organizations defenseless towards weaponized AI assaults
"Threat actors are reverse engineering patches, and the speed at which they're doing it has been enhanced greatly by AI," Mike Riemer, SVP of Community Safety Group and Subject CISO at Ivanti instructed VentureBeat in a current interview. "They're able to reverse engineer a patch within 72 hours. So if I release a patch and a customer doesn't patch within 72 hours of that release, they're open to exploit."
This isn't theoretical hypothesis. It's the onerous actuality forcing distributors to rearchitect their safety infrastructure from the kernel up fully. Final week, Ivanti launched Join Safe (ICS) model 25.X, marking what Riemer calls "tangible evidence" of the corporate's dedication to assembly this risk head-on.
At DEF CON 33 researchers from AmberWolf proved this risk actual, demonstrating full authentication bypasses in Zscaler, Netskope, and Test Level by exploiting vulnerabilities that existed for months, together with Zscaler's failure to validate SAML assertions (CVE-2025-54982), Netskope’s credential-free OrgKey entry, and Test Level’s hard-coded SFTP keys exposing tenant logs have been all flaws left open and exploitable greater than 16 months after preliminary disclosure.
Why Kernel Safety issues
The kernel is the central orchestrator of all the things that occurs in a computing machine, controlling reminiscence, processes, and {hardware}.
If an attacker compromises the kernel, they've seized whole management of a tool that may scale to compromising a complete community. Some other safety layer or utility, platform or safeguard is straight away bypassed with attackers take management of the kernel.
Almost all working methods depend on the idea of imposing rings of privilege. Purposes run in consumer mode with restricted entry. The kernel operates in kernel mode with full management. When adversaries break that barrier, they’ve gained entry to what many safety researchers contemplate the holy grail of a methods and full networks’ vulnerabilities.
Ivanti's new launch instantly addresses this actuality. Join Safe 25.X runs on an enterprise-grade Oracle Linux working system with robust Safety-Enhanced Linux (SELinux) enforcement that may restrict a risk actor's skills inside the system. The answer consists of Safe Boot safety, disk encryption, key administration, safe manufacturing unit reset, a contemporary safe net server, and Net Software Firewall (WAF), all designed to safe key elements of the system and considerably deter exterior threats.
"In the past year, we've significantly advanced our Secure by Design strategy, translating our commitment into real action through substantial investments and an expanded security team," Riemer defined. "This release stands as tangible evidence of our commitment. We listened to our customers, invested in both technology and talent, and modernized the security of Ivanti Connect Secure to provide the resilience and peace of mind our customers expect and deserve."
From OS rings to Deployment Rings: A extra full protection technique
Whereas working system rings outline privilege ranges, fashionable patch administration has adopted its personal ring technique to fight the 72-hour exploit window.
Ring deployment supplies a phased, automated patching technique that rolls out updates incrementally: a Check Ring for core IT validation, an Early Adopter Ring for compatibility testing, and a Manufacturing Ring for enterprise-wide rollout.
This method instantly addresses the pace disaster. Ring deployment achieves 99% patch success inside 24 hours for as much as 100,000 PCs, in line with Gartner analysis. Ponemon Institute analysis exhibits organizations take an alarming common of 43 days to detect cyberattacks even after a patch is launched.
Jesse Miller, SVP and director of IT at Southstar Financial institution, emphasised: "When judging how impactful something can be, you have to take everything from current events, your industry, your environment and more into the equation." His crew makes use of ring deployment to cut back their assault floor as rapidly as potential.
Attackers aggressively exploit legacy vulnerabilities with 76% of vulnerabilities leveraged by ransomware have been reported between 2010 and 2019. When kernel entry is at stake, each hour of delay multiplies the chance exponentially.
The Kernel Dilemma facilities on balancing safety versus stability
At CrowdStrike's FalCon convention, Chief Expertise Innovation Officer Alex Ionescu laid out the issue: "By now, it's clear that if you want to protect against bad actors, you need to operate in the kernel. But to do that, the reliability of your machine is put at risk."
The business is responding with basic shifts:
Microsoft's WISP
mandates multi-year adjustments for each Home windows safety vendor
Linux embraced eBPF
for safer kernel instrumentation
Apple's Endpoint Safety Framework
allows user-mode operation
Authentication bypass occurs when kernels are compromised
AmberWolf researchers spent seven months analyzing ZTNA merchandise. Zscaler did not validate SAML assertions (CVE-2024-54982). Netskope's authentication might be bypassed utilizing non-revocable OrgKey values. Test Level had hard-coded SFTP keys (CVE-2025-3831).
These vulnerabilities existed for months. Some distributors patched quietly with out CVEs. As of August 2025, 16 months after disclosure, many organizations nonetheless used exploitable configurations.
Classes realized from compressing 3 years of kernel safety into 18 months
When nation-state attackers exploited Ivanti Join Safe in January 2024, it validated Ivanti’s determination to quickly advance its kernel-level safety technique, compressing a three-year mission into simply 18 months. As Riemer defined, "We had already completed phase one of the kernel-hardening project before the attack. That allowed us to quickly pivot and accelerate our roadmap.”
Key accomplishments included:
Migration to 64-bit Oracle Linux:
Ivanti replaced an outdated 32-bit CentOS OS with Oracle Linux 9, significantly reducing known vulnerabilities tied to legacy open-source components.
Custom SELinux enforcement:
Implementing strict SELinux policies initially broke a significant number of product features, requiring careful refactoring without compromising security parameters. The resulting solution now runs in permanent enforcement mode, Riemer explained.
Process de-privileging and secure boot with TPM:
Ivanti eliminated root privileges from critical processes and integrated TPM-based secure boot and RSA encryption, ensuring continuous integrity checks, aligning with AmberWolf’s research recommendations and findings.
There were also a series of independent penetration testing initiatives, and each confirmed zero successful compromises, with threat actors typically abandoning attempts within three days.
Riemer explained to VentureBeat that global intelligence community customers actively watched threat actors probe the hardened systems. "They tried outdated TTPs, pivoted to net server exploits. They beautiful a lot gave up after about three days," Riemer said.
The decision to go kernel-level wasn't a panic response. "We really had plans in place in 2023 to deal with this earlier than we ever obtained attacked," Riemer said. The conversation that sealed the decision happened in Washington, DC. "I sat down with the CIO of a federal company, and I requested him flat out: Is there going to be a necessity for the U.S. authorities to have an L3 VPN resolution on-prem sooner or later?" Riemer recalled. "His response was that there would all the time be a mission want for an L3 VPN on-prem sort resolution to be able to give encrypted communication entry to the warfighter."
The future beyond kernel security includes eBPF and Behavioral Monitoring
Gartner's Emerging Tech Impact Radar: Cloud Security report rates eBPF as having "excessive" mass with 1-3 years to early majority adoption. "The usage of eBPF permits for enhanced visibility and safety with out relying solely on kernel-level brokers," Gartner notes.
The majority of cybersecurity security vendors are investing heavily in eBPF. "Right this moment, virtually our complete buyer base runs Falcon sensor on prime of eBPF," Ionescu said during his keynote at this year’s Fal.Con. "We've been a part of that journey as eBPF basis members."
Palo Alto Networks has also emerged as a major player in eBPF-based security, investing heavily in the technology for their Cortex XDR and Prisma Cloud platforms. This architectural shift allows Palo Alto Networks to provide deep visibility into system calls, network traffic, and process execution while maintaining system reliability.
The convergence of CrowdStrike, Palo Alto Networks, and other major vendors on eBPF technology signals a fundamental transformation—providing the visibility security teams need without catastrophic failure risks.
Defensive strategies that are working
Patching is often relegated to one of those tasks that gets procrastinated about because so many security teams are short-handed, facing chronic time shortages. Those are the conditions that adversaries bank on when they choose victims.
It’s a sure bet that if a company is not prioritizing cybersecurity, they will be months or even years back on their patching. That’s what adversaries look for. Patterns emerge from different industries of victims and they share a common trait of procrastinating about system maintenance in general and security patterns specifically.
Based on interviewing victims of breaches that started with patches sometimes years old, VentureBeat has seen the following immediate steps they take to reduce the probabilo9ty of being hit again:
Automate patching immediately. Monthly cycles are obsolete. Tony Miller, Ivanti's VP of enterprise services, confirmed ring deployment eliminates the reactive patching chaos that leaves organizations vulnerable during the critical 72-hour window.
Audit kernel-level security. Ask vendors about eBPF/ESF/WISP migration plans and timelines.
Layer defenses. This is table stakes for any cybersecurity strategy but critical to get right. "Whether or not it was SELinux profiling, root privilege avoidance, an up to date net server, or the WAF—every layer stopped assaults," Riemer said.
Demand transparency. "One other vendor had been attacked in November 2023. That info didn't come obtainable till August 2024," Riemer revealed. "For this reason Ivanti has been so public about transparency."
The bottom line
Kernel-level transformation isn't optional. It's survival when AI weaponizes vulnerabilities in three days.
Ivanti Connect Secure 25.X represents what's possible when a vendor commits fully to kernel-level security, not as a reactive measure, but as a fundamental architectural principle. Gartner's strategic planning assumption is sobering: "By 2030, no less than 80% of enterprise Home windows endpoints will nonetheless depend on hybrid endpoint safety brokers, growing the assault floor and requiring rigorous validation."
Organizations should harden what they’ll now, automate instantly, and put together for architectural upheaval. As Gartner emphasizes, combining ring deployment with built-in compensating controls together with endpoint safety platforms, multifactor authentication, and community segmentation as a part of a broader zero-trust framework ensures safety groups can shrink publicity home windows.
