
Software vendors have traditionally presented security patches as a source of reassurance to their customers. Even though the creation of a patch is a tacit acknowledgement of a security weakness that needed fixing, patches were assumed to be a pre-emptive measure – a way for organisations to shore up their defences before an issue arose.
That cosy assumption is now being tested to the limit as hackers use AI to reverse-engineer security patches, revealing and exploiting the very vulnerabilities the patch is designed to protect.
Reverse-engineering security patches isn’t technically new. Offensive security researchers and attackers have long compared patched and unpatched software versions, noting what changed and working backwards to identify the vulnerability that was fixed.
Malicious actors too have used this technique to understand and exploit the underlying vulnerability that necessitated a patch.
AI has changed the game by making it easier for even novice hackers to turn patches from a form of protection to a point of entry – all at machine speed.
Rather than creating a new attack technique, this weaponisation of AI is removing much of the manual effort that previously slowed attackers down – giving defenders time to design, test and implement a patch before an attack is made.
The data reflects this accelerating threat. According to the Zero Day Clock project, the median time between a vulnerability being disclosed and its first exploitation has fallen from more than two years in 2018 to just a few hours today. Mandiant’s latest M-Trends report also suggests that, on average, attackers are now exploiting vulnerabilities before a public patch is even available.
That doesn’t mean every vulnerability is exploited immediately, but it does show how quickly the window between disclosure and attack is shrinking.
We’ve already seen examples where attackers appear to have moved faster than the wider security community. Earlier this year, Oracle released a patch for a critical vulnerability in Oracle E-Business Suite. Before any proof-of-concept exploit was announced, threat intelligence researchers observed active exploitation against vulnerable systems. While it’s impossible to know exactly how that exploit was developed, one plausible explanation is that attackers analysed the patch itself to understand the vulnerability before anyone else had published their findings.
For defenders, this poses a serious challenge, as applying a security patch in a large organisation is seldom simple. Critical systems need to be tested, compatibility issues checked, maintenance windows scheduled and business disruption minimised. Even organisations with mature security teams often need days or weeks to deploy patches safely across production environments.
According to Verizon’s latest Data Breach Investigations Report, organisations now take a median of 43 days to fully remediate vulnerabilities, while exploited vulnerabilities have overtaken stolen credentials as the most common way attackers gain initial access to organisations.
In practical cybersecurity terms, the issue isn’t merely the huge number of vulnerabilities emerging. Instead it is attackers’ ability to identify and exploit vulnerabilities faster than defenders can resolve them.
This asymmetric threat is particularly acute for technologies such as VPNs, firewalls, gateways and widely deployed enterprise applications. These systems are attractive targets because they’re common across thousands of organisations and often provide direct access into corporate environments. The longer it takes to deploy a patch, the larger that exposure window becomes.
None of this means organisations should rethink the importance of patching. Keeping systems up to date remains one of the most effective ways to reduce risk. What does need to change is the assumption that releasing or deploying a patch is enough.
Security teams increasingly need to understand which vulnerabilities are actually exploitable in their own environments, how exposed their internet-facing systems are and how quickly those exposures are changing. Prioritising vulnerabilities using intelligence such as CISA’s Known Exploited Vulnerabilities catalogue or EPSS scores is a good start, but it doesn’t solve the underlying problem.
The real goal should be to reduce the time between a vulnerability appearing and an organisation identifying its own exposure.
That’s why continuous attack surface validation is becoming so important. Annual penetration tests and periodic security reviews were designed for a world where attackers moved more slowly. Today, environments change constantly, new services are deployed every day and AI allows attackers to assess thousands of potential targets simultaneously. To keep pace, defenders need the same ability to continuously assess their own exposure.
AI hasn’t fundamentally changed the way vulnerabilities are exploited. What it has changed is the speed at which attackers can discover, understand and weaponise them. The organisations that adapt their security programmes to this new reality will be far better placed than those still relying on security processes designed for a slower, safer world.
_____
Andre Baptista is CTO and co-founder of Ethiack, an AI-powered cybersecurity company specialising in autonomous penetration testing and continuous attack surface validation.
Join our LinkedIn group Information Security Community!











