This article was published in 2026 and references a historical event from 2025, included here for context and accuracy.
- Tension: Organizations know patching is critical yet consistently delay it, turning a solved problem into a recurring crisis.
- Noise: Security headlines focus on the vendor’s response speed, distracting from the deeper organizational failure of slow patch adoption.
- Direct Message: The real vulnerability in enterprise security is not the software flaw — it’s the culture that tolerates living with known risk.
To learn more about our editorial approach, explore The Direct Message methodology.
When Ivanti disclosed a critical vulnerability in its Connect Secure platform in early 2025, the company had technically already fixed it.
A patch had been released on February 11, 2025. By April, when nation-state actors were actively exploiting the flaw to deploy sophisticated malware across enterprise networks, the problem was not that a fix did not exist. It was that organizations had not applied it.
This is the story that keeps repeating itself in enterprise security, and the Ivanti incident is one of the clearest recent examples of how the industry keeps arriving at the same preventable crisis.
The vulnerability, tracked as CVE-2025-22457, was a stack-based buffer overflow in Ivanti Connect Secure VPN appliances. Attackers who exploited it could execute arbitrary code remotely without any authentication.
Google’s Mandiant division attributed the exploitation to a suspected China-linked espionage group, UNC5221, which deployed newly discovered malware families called TRAILBLAZE and BRUSHFIRE alongside the previously documented SPAWN malware ecosystem. These were not opportunistic script kiddies.
These were well-resourced threat actors running sustained campaigns against enterprise edge infrastructure, and they walked straight through a door that organizations had the key to close weeks earlier.
The gap between knowing and doing
What makes the Ivanti situation worth examining closely is how perfectly it illustrates a structural dysfunction in organizational security culture. The vulnerability was publicly disclosed. A patch was available. CISA had urged immediate action.
And still, weeks after the fix existed, enough systems remained unpatched that sophisticated adversaries found it worth their time to build custom malware tooling around the exploit.
This is not unusual. According to a Ponemon report, 54% of respondents cite unpatched software as their top cyber risk concern. The 2025 Verizon Data Breach Investigations Report found that exploitation of known vulnerabilities in enterprise environments increased by roughly 34% year over year.
And yet organizations continue to treat patching as a background task rather than a front-line defense.
The tension here runs deeper than IT workflow. Organizations face genuine operational constraints that make rapid patching genuinely difficult.
Applying patches to critical VPN infrastructure can disrupt active connections and require downtime windows. Security and IT teams are often siloed, with different priorities and approval chains.
The Adaptiva State of Patch Management 2025 Report found that 77% of organizations need more than a week to deploy patches enterprise-wide. In that gap between patch availability and patch deployment, threat actors operate. . In that gap between patch availability and patch deployment, threat actors operate.
For Ivanti Connect Secure specifically, the irony compounds. These are VPN appliances, meaning the organizations running them are, by definition, trying to secure remote access. The very tool meant to protect the network perimeter became the entry point because the organizations using it could not move fast enough to protect it.
When vendor accountability becomes a distraction
The headlines around the Ivanti incident, much like similar incidents involving SonicWall, Fortinet, and other edge device manufacturers, tend to focus heavily on the vendor. Did Ivanti respond quickly enough? Did they communicate transparently? Were they too slow to acknowledge active exploitation?
These are legitimate questions, but they risk becoming the primary frame through which organizations process the incident, and that framing is convenient in the wrong way.
When the story becomes about vendor accountability, it allows security teams and organizational leadership to position themselves as victims of someone else’s software quality problem rather than active participants in a risk management failure.
Ivanti had, by any reasonable standard, done the right things. The company released a patch within a reasonable timeframe, acknowledged the exploitation publicly, coordinated with Mandiant and CISA, urged users to upgrade immediately, and provided Integrity Checker Tools to help identify compromise. That is the vendor side of the equation working as designed.
The broken part was on the organizational side. CISA’s Known Exploited Vulnerabilities catalog had accumulated more than 30 Ivanti flaws by mid-2025, suggesting a long-running pattern where organizations simply do not move urgently enough on Ivanti-related patches even after repeated incidents.
When Germany’s BSI found evidence of exploitation traced back to July 2025, the exploitation window had extended for months in some environments. The vendor announcements, the CISA alerts, the security researcher advisories, all of it had been ignored or deprioritized long enough for attackers to establish persistent footholds.
The patch gap as an organizational identity problem
The real vulnerability in enterprise security is not the software flaw. It is the culture that has normalized living with known, fixable risk.
This reframe matters because it changes what the solution looks like. If the problem is a vendor’s code quality, the response is vendor pressure and better software development practices. If the problem is organizational culture, the response requires something more fundamental: treating patch deployment with the same operational urgency as system outages.
IBM’s Cost of a Data Breach Report 2025 put the global average breach cost at $4.44 million — and $10.22 million for U.S. organizations specifically, a record high driven by regulatory penalties and slower detection times. Against that number, the operational disruption of applying a VPN patch on an accelerated timeline becomes a different kind of calculation.
The question organizations keep answering incorrectly is whether the short-term disruption of patching outweighs the risk of staying exposed. The evidence consistently says it does not.
Rebuilding around urgency
The Ivanti incidents of 2025 point toward a few concrete realities that organizations need to absorb.
Edge devices, including VPN gateways, SSL appliances, and network management tools, have become the primary target category for sophisticated state-linked actors precisely because they sit at the perimeter and often run outdated software.
Google’s Threat Intelligence Group assessed that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their history of success. This is not a one-time campaign. It is an ongoing strategic focus.
For security and IT teams, the operational response needs to shift from treating critical edge device patches as items in a regular monthly cycle to treating them as emergency responses when CISA confirms active exploitation.
The distinction between “patch available” and “patch required now” needs to be baked into escalation protocols, not left to judgment calls under pressure.
For organizational leadership, the Ivanti story is a useful mirror. Sophisticated adversaries are not waiting for convenient maintenance windows. They are scanning for the gap between patch release and patch deployment, because that gap has consistently proven to be weeks or months wide.
The vulnerability was fixed in February. The exploitation peaked in April. The two-month window was not a technical failure. It was an organizational one, and that is the kind of failure that a patch management policy alone will not fix.
What fixes it is deciding, at a leadership level, that known, patchable risk is not an acceptable steady state. That the cost of the disruption is smaller than the cost of the breach. That speed of remediation is a security metric worth measuring and reporting. The software will always have vulnerabilities. The question is whether the culture around responding to them has finally caught up to the threat.
