Weaponized AI can dismantle patches in 72 hours — but Ivanti's kernel defense can help

Adversaries, from cybercrime gangs to nation-state cyberattack teams, are fine-tuning weaponized AI with the goal of defeating new patches in 3 days or less.

The faster the attack, the more time there is to explore the victim’s network, exfiltrate data, install ransomware, or set up reconnaissance that will last for months or years. Traditional manual debugging is now a burden, leaving internal organizations defenseless against weaponized AI attacks

"Threat actors are reverse-engineering patches, and the speed at which they do so has been greatly enhanced by AI." Mike Riemer, senior vice president of the Network Security Group and field CISO at Ivanti, told VentureBeat in a recent interview. "They are able to reverse engineer the patch within 72 hours. So, if you release a patch and the customer doesn’t release the patch within 72 hours of that release, they will be vulnerable to exploitation."

This is not theoretical speculation. It’s this hard reality that forces vendors to completely redesign their security infrastructure from the core up. Last week, Ivanti released Connect Secure (ICS) version 25.X, which Riemer calls "Concrete evidence" Due to the company’s commitment to confront this threat directly.

At DEF CON, 33 AmberWolf researchers proved that this threat is real, demonstrating complete authentication bypasses in Zscaler, Netskope, and Check Point by exploiting vulnerabilities that have been around for months, including Zscaler’s failure to validate SAML assertions (CVE-2025-54982), accessing… To Netskope’s credential-free OrgKey, and Check Point’s tenant-exposing encrypted SFTP keys. Logs All flaws were open and exploitable for more than 16 months after initial disclosure.

Why Kernel Security Matters

The kernel is the central coordinator of everything that happens in a computing device, controlling memory, processes, and hardware.

If an attacker compromises the kernel, they have seized full control of a device that could potentially compromise the entire network. Any other layer of security, application, platform, or protection is immediately bypassed as attackers take control of the kernel.

Almost all operating systems are based on the concept of enforcing privilege loops. Applications run in user mode with limited access. The kernel runs in kernel mode with full control. When adversaries break this barrier, they have gained access to what many security researchers consider the holy grail of vulnerabilities of entire systems and networks.

The new version of Ivanti addresses this reality head-on. Connect Secure 25. The solution includes secure boot protection, disk encryption, key management, a secure factory reset, a modern secure web server, and a web application firewall (WAF), all designed to secure key aspects of the system and significantly deter external threats.

"In the past year, we have significantly advanced our Secure by Design strategy, translating our commitment into real action through significant investments and an expanded security team," Rimmer explained. "This release represents tangible evidence of our commitment. We listened to our customers, invested in both technology and talent, and updated Ivanti Connect Secure to provide the flexibility and peace of mind our customers expect and deserve."

From operating system loops to deployment loops: a more complete defense strategy

While OS loops define privilege levels, modern patch management has adopted its own loop strategy to combat the 72-hour exploit window.

Loop deployment provides an automated phased patching strategy that deploys updates incrementally: a test loop to validate core IT, an early adopter loop for compatibility testing, and a production loop for enterprise-wide deployment.

This approach addresses the speed crisis head-on. Loop deployment achieves 99% patch success within 24 hours on up to 100,000 computers, according to Gartner research. Ponemon Institute research shows that organizations take an alarming average of 43 days to detect cyberattacks even after a patch is released.

Jesse Miller, Senior Vice President and Director of Information Technology at Southstar Bank, confirmed: "When judging the impact of something, you need to take everything from current events, your industry, your environment, and more into the equation." His team uses circular diffusion to reduce the attack surface as quickly as possible.

Attackers are aggressively exploiting legacy vulnerabilities, with 76% of vulnerabilities reported to have been exploited by ransomware between 2010 and 2019. When kernel access is at stake, every hour of delay multiplies the risk exponentially.

The kernel’s dilemma revolves around balancing security and stability

At CrowdStrike’s FalCon conference, Alex Ionescu, chief technology innovation officer, explained the problem: "It’s now clear that if you want to protect against the bad guys, you need to work in the kernel. But to do so, the reliability of your device is compromised."

The industry is responding with fundamental shifts:

• Microsoft WISP

  Forces multi-year changes for each Windows security resource

• Linux has embraced eBPF

  For safer kernel tools

• Apple Endpoint Security Framework

  Enables user mode operation

Authentication bypass occurs when the kernel is compromised

AmberWolf researchers spent seven months analyzing ZTNA products. Zscaler fails to validate SAML assertions (CVE-2024-54982). Netskope authentication can be bypassed using non-revocable OrgKey values. Check Point has encrypted SFTP keys (CVE-2025-3831).

These vulnerabilities have been around for months. Some vendors have quietly patched up without serious challenges. As of August 2025, 16 months after the disclosure, many organizations are still using exploitable configurations.

Lessons learned from compressing 3 years of kernel security into 18 months

When nation-state attackers exploited Ivanti Connect Secure in January 2024, they validated Ivanti’s decision to rapidly advance its kernel-level security strategy, compressing a three-year project into just 18 months. As Reimer explained, "We have already completed the first phase of the core strengthening project before the attack. This allowed us to quickly pivot and accelerate our roadmap.

Key achievements included:

• Migrating to Oracle Linux 64-bit:

  Ivanti replaced the legacy 32-bit CentOS operating system with Oracle Linux 9, significantly reducing known vulnerabilities associated with legacy open source components.

• Custom SELinux enforcement:

  Implementing strict SELinux policies initially broke a large number of product features, requiring careful refactoring without compromising security standards. The resulting solution is now running in always-on execution mode, Rimmer explained.

• Process of revoking privileges and secure boot using TPM:

  Ivanti has removed root privileges from critical processes and integrated secure booting based on TPM and RSA encryption, ensuring continuous integrity checks, in line with AmberWolf research recommendations and findings.

There have also been a series of independent penetration testing initiatives, each of which has confirmed no successful compromises, with threat actors typically abandoning their attempts within three days.

Riemer explained to VentureBeat that agents of the global intelligence community were actively monitoring threat actors investigating the hardened systems. "They experimented with older TTP techniques, focusing on web server exploits. They pretty much gave up after about three days," Rimmer said.

The decision to move to the kernel level was not a panic response. "We already had plans in place in 2023 to address this before we were attacked;" Rimmer said. The conversation that decided the decision took place in Washington, DC. "I sat down with an IT director at a federal agency and asked him frankly: Will there be a need for the US government to have an on-premises L3 VPN solution in the future?" Remer recalls. "His response was that there would always be a mission need for a local L3 VPN type solution in order to give encrypted communications access to the warfighter."

The future beyond kernel security includes eBPF and behavior monitoring

Gartner’s Emerging Technology Impact Radar: Cloud Security Report rates eBPF as Existing "High" Block with 1-3 years for early majority adoption. "Using eBPF allows for enhanced visibility and security without relying solely on kernel-level proxies." Gartner notes.

The majority of cybersecurity security vendors invest heavily in eBPF. "Today, almost our entire customer base runs a Falcon sensor above eBPF," Ionescu said during his keynote at this year’s Fal.Con. "We have been part of that journey as eBPF members."

Palo Alto Networks has also emerged as a major player in eBPF-based security, investing heavily in the technology for its Cortex XDR and Prisma Cloud platforms. This architectural transformation allows Palo Alto Networks to provide deep visibility into system calls, network traffic, and process execution while maintaining system reliability.

The convergence of CrowdStrike, Palo Alto Networks, and other major vendors on eBPF technology signals a fundamental shift—providing the security visibility security teams need without the risk of catastrophic failure.

Defensive strategies that work

Patching is often relegated to one of those tasks that are procrastinated on because many security teams are under-resourced and facing a chronic lack of time. These are the conditions that adversaries rely on when they choose victims.

It is certain that if a company does not prioritize cybersecurity, it will take months or even years before a patch is made. This is what opponents are looking for. Patterns emerge from different victim industries and share a common trait of procrastination on system maintenance in general and security patterns in particular.

Based on interviews with victims of breaches that began with patches that were sometimes years old, VentureBeat saw the following immediate steps they take to reduce the likelihood of being struck again:

Automate debugging instantly. Menstrual cycles are outdated. Tony Miller, VP of Enterprise Services at Ivanti, emphasized that loop deployment eliminates the reactive patching clutter that leaves organizations vulnerable during the critical 72-hour period.

Kernel-level security audit. Ask vendors about eBPF/ESF/WISP migration plans and timelines.

Class defenses. This is important for any cybersecurity strategy but is crucial to getting it right. "Whether it’s an SELinux profile, avoiding root privileges, an updated web server, or a WAF – every layer has stopped attacks." Rimmer said.

Demanding transparency. "Another vendor was attacked in November 2023. This information was not available until August 2024." Rimmer revealed. "This is why Ivanti publicly declares transparency."

Bottom line

Kernel-level conversion is not optional. It’s survival when AI uses vulnerabilities as a weapon in three days.

Ivanti Connect Secure 25.X represents what is possible when a vendor fully commits to kernel-level security, not as a reactive measure, but as a fundamental architectural principle. Gartner’s strategic planning assumption is troubling: "By 2030, at least 80% of enterprise Windows endpoints will still rely on hybrid endpoint protections, which increases the attack surface and requires stringent validation."

Organizations must leverage what they can now, automate immediately, and prepare for architectural disruption. As Gartner emphasizes, the combination of loop deployment and integrated compensatory controls including endpoint protection platforms, multi-factor authentication, and network segmentation as part of a broader Zero Trust framework ensures security teams can minimize windows of exposure.

Don’t miss more hot News like this! Click here to discover the latest in Technology news!

2025-10-10 15:35:00