Improvised vulnerability management

Table of contents

Latest posts

Post cover

EVE-NG Linux VM SSH troubleshooting
September 20, 2025

Post cover

Optimizing Strata Cloud Manager API usage
September 14, 2025

Post cover

Authenticating to the Strata Cloud Manager API
September 07, 2025

Post cover

Logging into Cisco ACI
September 03, 2025

Post cover

Automating operations with Strata Cloud Manager
August 31, 2025

Categories

Category cover

Automation
155 posts

Category cover

Learning paths
119 posts

Category cover

CISO
22 posts

Category cover

Security
20 posts

Category cover

Notes
19 posts

Category cover

Personal Security
18 posts

Category cover

Infrastructure
12 posts

Category cover

OT/ICS
5 posts

Category cover

Books
3 posts

Category cover

UNetLab
3 posts

Category cover

Write-up
3 posts

Category cover

OSInt
2 posts

Category cover

My life
1 posts

Improvised vulnerability management

Andrea Dainese
March 10, 2021
CISO
Post cover

On March 3rd, the Italian CSIRT (Computer Security Incident Response Team) published a bulletin reporting the active exploitation of critical Microsoft Exchange vulnerabilities.

That was the moment when companies should have immediately triggered a risk assessment, followed by a business impact analysis and an actionable response plan.

Assessing the Vulnerability

The assessment in this case is straightforward: four severe Microsoft Exchange vulnerabilities (with CVSSv3 scores up to 9.1) that, when chained together, can lead to full server compromise. Specifically, attackers can:

  • Access and exfiltrate user emails
  • Install malware on the server, turning it into a foothold for further attacks

The impact should therefore be considered “high.”

The Italian CSIRT also warned that these vulnerabilities were already being exploited. That makes the likelihood of attack against unprotected, internet-exposed Microsoft Exchange servers equally “high.”

Given this risk level, many organizations should have treated patching as an urgent priority.

Problem Solved?

But here’s the real issue: the grey zone between the discovery of a vulnerability and the moment when systems are fully patched.

Even if you deploy the Microsoft Exchange patches quickly, can you really say you acted in time?

Threat Hunting

Vulnerability management should also address this grey zone. Actively analyzing systems to determine whether they have already been compromised—and how—helps reduce the chance of future unpleasant surprises.

In this specific case, between March 5th and 7th, most Microsoft Exchange servers worldwide were already targeted using malware designed for remote control.

Some of these servers received the second phase of the attack in the following two days.

A Silent Threat

Given the speed of the attack’s evolution, we can easily predict what happens next: lateral movement across the network, data exfiltration, archive destruction through ransomware, and extortion via data leak threats.

Conclusions

The purpose of this article was not to detail vulnerability management procedures, but rather to highlight the importance of embedding threat hunting into the process itself.

Patch management is not “install and forget,” nor can it be relegated to “quarterly activities.” In cases like the one described, action must be both fast and fully aware of today’s threat landscape.