Weaponized AI can dismantle patches in 72 hours — but Ivanti's kernel defense can help
Adversaries from cybercrime gangs to nation-state cyberattack squads are fine-tuning weaponized AI with the goal of defeating new patches in 3 days or less.
The quicker the attack, the more time to explore a victim’s network, exfiltrate data, install ransomware or set up reconnaissance that will last for months or years. Traditional, manual patching is now a liability, rendering enter organizations defenseless against weaponized AI attacks
"Threat actors are reverse engineering patches, and the speed at which they're doing it has been enhanced greatly by AI," Mike Riemer, SVP of Network Security Group and Field CISO at Ivanti told VentureBeat in a recent interview. "They're able to reverse engineer a patch within 72 hours. So if I release a patch and a customer doesn't patch within 72 hours of that release, they're open to exploit."
This isn't theoretical speculation. It's the hard reality forcing vendors to rearchitect their security infrastructure from the kernel up completely. Last week, Ivanti released Connect Secure (ICS) version 25.X, marking what Riemer calls "tangible evidence" of the company's commitment to meeting this threat head-on.
At DEF CON 33 researchers from AmberWolf proved this threat real, demonstrating complete authentication bypasses in Zscaler, Netskope, and Check Point by exploiting vulnerabilities that existed for months, including Zscaler's failure to validate SAML assertions (CVE-2025-54982), Netskope’s credential-free OrgKey access, and Check Point’s hard-coded SFTP keys exposing tenant logs were all flaws left open and exploitable more than 16 months after initial disclosure.
Why Kernel Security matters
The kernel is the central orchestrator of everything that happens in a computing device, controlling memory, processes, and hardware.
If an attacker compromises the kernel, they've seized total control of a device that can scale to compromising an entire network. Any other security layer or application, platform or safeguard is immediately bypassed with attackers take control of the kernel.
Nearly all operating systems rely on the concept of enforcing rings of privilege. Applications run in user mode with limited access. The kernel operates in kernel mode with complete control. When adversaries break that barrier, they’ve gained access to what many security researchers consider the holy grail of a systems and entire networks’ vulnerabilities.
Ivanti's new release directly addresses this reality. Connect Secure 25.X runs on an enterprise-grade Oracle Linux operating system with strong Security-Enhanced Linux (SELinux) enforcement that can limit a threat actor's abilities within the system. The solution includes Secure Boot protection, disk encryption, key management, secure factory reset, a modern secure web server, and Web Application Firewall (WAF), all designed to secure key aspects of the system and significantly deter external threats.
"In the past year, we've significantly advanced our Secure by Design strategy, translating our commitment into real action through substantial investments and an expanded security team," Riemer explained. "This release stands as tangible evidence of our commitment. We listened to our customers, invested in both technology and talent, and modernized the security of Ivanti Connect Secure to provide the resilience and peace of mind our customers expect and deserve."
From OS rings to Deployment Rings: A more complete defense strategy
While operating system rings define privilege levels, modern patch management has adopted its own ring strategy to combat the 72-hour exploit window.
Ring deployment provides a phased, automated patching strategy that rolls out updates incrementally: a Test Ring for core IT validation, an Early Adopter Ring for compatibility testing, and a Production Ring for enterprise-wide rollout.
This approach directly addresses the speed crisis. Ring deployment achieves 99% patch success within 24 hours for up to 100,000 PCs, according to Gartner research. Ponemon Institute research shows organizations take an alarming average of 43 days to detect cyberattacks even after a patch is released.
Jesse Miller, SVP and director of IT at Southstar Bank, emphasized: "When judging how impactful something can be, you have to take everything from current events, your industry, your environment and more into the equation." His team uses ring deployment to reduce their attack surface as quickly as possible.
Attackers aggressively exploit legacy vulnerabilities with 76% of vulnerabilities leveraged by ransomware were reported between 2010 and 2019. When kernel access is at stake, every hour of delay multiplies the risk exponentially.
The Kernel Dilemma centers on balancing security versus stability
At CrowdStrike's FalCon conference, Chief Technology Innovation Officer Alex Ionescu laid out the problem: "By now, it's clear that if you want to protect against bad actors, you need to operate in the kernel. But to do that, the reliability of your machine is put at risk."
The industry is responding with fundamental shifts:
Microsoft's WISP
mandates multi-year changes for every Windows security vendor
Linux embraced eBPF
for safer kernel instrumentation
Apple's Endpoint Security Framework
enables user-mode operation
Authentication bypass happens when kernels are compromised
AmberWolf researchers spent seven months analyzing ZTNA products. Zscaler failed to validate SAML assertions (CVE-2024-54982). Netskope's authentication could be bypassed using non-revocable OrgKey values. Check Point had hard-coded SFTP keys (CVE-2025-3831).
These vulnerabilities existed for months. Some vendors patched quietly without CVEs. As of August 2025, 16 months after disclosure, many organizations still used exploitable configurations.
Lessons learned from compressing 3 years of kernel security into 18 months
When nation-state attackers exploited Ivanti Connect Secure in January 2024, it validated Ivanti’s decision to rapidly advance its kernel-level security strategy, compressing a three-year project into just 18 months. As Riemer explained, "We had already completed phase one of the kernel-hardening project before the attack. That allowed us to quickly pivot and accelerate our roadmap.”
Key accomplishments included:
Migration to 64-bit Oracle Linux:
Ivanti replaced an outdated 32-bit CentOS OS with Oracle Linux 9, significantly reducing known vulnerabilities tied to legacy open-source components.
Custom SELinux enforcement:
Implementing strict SELinux policies initially broke a significant number of product features, requiring careful refactoring without compromising security parameters. The resulting solution now runs in permanent enforcement mode, Riemer explained.
Process de-privileging and secure boot with TPM:
Ivanti eliminated root privileges from critical processes and integrated TPM-based secure boot and RSA encryption, ensuring continuous integrity checks, aligning with AmberWolf’s research recommendations and findings.
There were also a series of independent penetration testing initiatives, and each confirmed zero successful compromises, with threat actors typically abandoning attempts within three days.
Riemer explained to VentureBeat that global intelligence community customers actively watched threat actors probe the hardened systems. "They tried old TTPs, pivoted to web server exploits. They pretty much gave up after about three days," Riemer said.
The decision to go kernel-level wasn't a panic response. "We actually had plans in place in 2023 to address this before we ever got attacked," Riemer said. The conversation that sealed the decision happened in Washington, DC. "I sat down with the CIO of a federal agency, and I asked him flat out: Is there going to be a need for the U.S. government to have an L3 VPN solution on-prem in the future?" Riemer recalled. "His response was that there would always be a mission need for an L3 VPN on-prem type solution in order to give encrypted communication access to the warfighter."
The future beyond kernel security includes eBPF and Behavioral Monitoring
Gartner's Emerging Tech Impact Radar: Cloud Security report rates eBPF as having "high" mass with 1-3 years to early majority adoption. "The use of eBPF allows for enhanced visibility and security without relying solely on kernel-level agents," Gartner notes.
The majority of cybersecurity security vendors are investing heavily in eBPF. "Today, almost our entire customer base runs Falcon sensor on top of eBPF," Ionescu said during his keynote at this year’s Fal.Con. "We've been part of that journey as eBPF foundation members."
Palo Alto Networks has also emerged as a major player in eBPF-based security, investing heavily in the technology for their Cortex XDR and Prisma Cloud platforms. This architectural shift allows Palo Alto Networks to provide deep visibility into system calls, network traffic, and process execution while maintaining system reliability.
The convergence of CrowdStrike, Palo Alto Networks, and other major vendors on eBPF technology signals a fundamental transformation—providing the visibility security teams need without catastrophic failure risks.
Defensive strategies that are working
Patching is often relegated to one of those tasks that gets procrastinated about because so many security teams are short-handed, facing chronic time shortages. Those are the conditions that adversaries bank on when they choose victims.
It’s a sure bet that if a company is not prioritizing cybersecurity, they will be months or even years back on their patching. That’s what adversaries look for. Patterns emerge from different industries of victims and they share a common trait of procrastinating about system maintenance in general and security patterns specifically.
Based on interviewing victims of breaches that started with patches sometimes years old, VentureBeat has seen the following immediate steps they take to reduce the probabilo9ty of being hit again:
Automate patching immediately. Monthly cycles are obsolete. Tony Miller, Ivanti's VP of enterprise services, confirmed ring deployment eliminates the reactive patching chaos that leaves organizations vulnerable during the critical 72-hour window.
Audit kernel-level security. Ask vendors about eBPF/ESF/WISP migration plans and timelines.
Layer defenses. This is table stakes for any cybersecurity strategy but critical to get right. "Whether it was SELinux profiling, root privilege avoidance, an updated web server, or the WAF—each layer stopped attacks," Riemer said.
Demand transparency. "Another vendor had been attacked in November 2023. That information didn't come available until August 2024," Riemer revealed. "This is why Ivanti has been so public about transparency."
The bottom line
Kernel-level transformation isn't optional. It's survival when AI weaponizes vulnerabilities in three days.
Ivanti Connect Secure 25.X represents what's possible when a vendor commits fully to kernel-level security, not as a reactive measure, but as a fundamental architectural principle. Gartner's strategic planning assumption is sobering: "By 2030, at least 80% of enterprise Windows endpoints will still rely on hybrid endpoint protection agents, increasing the attack surface and requiring rigorous validation."
Organizations must harden what they can now, automate immediately, and prepare for architectural upheaval. As Gartner emphasizes, combining ring deployment with integrated compensating controls including endpoint protection platforms, multifactor authentication, and network segmentation as part of a broader zero-trust framework ensures security teams can shrink exposure windows.
