# 3.4 Vulnerability and Patch Management

# Goals

Vulnerability and patch management is the process of finding known weaknesses, deciding what must be fixed first, applying updates or mitigations, and proving the issue was handled.

Attackers do not need a new technique when an old vulnerability is still open.

The company needs a repeatable process for operating systems, applications, browsers, servers, network devices, websites, SaaS platforms, cloud systems, third-party software, and business-critical tools.

This section covers the protection work: patching, mitigation, ownership, timelines, verification, and reporting.

# Step 1: Assign Vulnerability and Patch Management Owners

Name the people responsible for the process.

Role	Responsibility
Process Owner	Owns the full vulnerability and patch management process
Technical Owner	Applies patches, fixes systems, or coordinates with MSP/vendor
Business Owner	Approves downtime, outage windows, and business-impact decisions
Executive Sponsor	Escalates overdue critical issues and approves exceptions
MSP or Vendor Contact	Handles managed systems or vendor-supported platforms

Do not leave this as “IT handles patches.”

Record who owns each platform: Microsoft 365, Google Workspace, servers, laptops, firewalls, routers, VPNs, websites, databases, cloud platforms, and business applications.

# Step 2: Define the Scope

List the systems covered by the patch process.

System Area	Examples
Endpoints	Windows laptops, MacBooks, Linux workstations
Servers	Windows Server, Linux servers, file servers, database servers
Network Devices	Firewalls, routers, switches, VPN appliances, Wi-Fi controllers
SaaS Platforms	Microsoft 365, Google Workspace, CRM, accounting, payroll, HR
Cloud Platforms	AWS, Azure, Google Cloud, hosted databases, storage services
Websites	CMS, plugins, themes, hosting control panel, web server, database
Business Applications	Accounting, ERP, CRM, inventory, ticketing, project tools
Security Tools	EDR, backup tools, password manager, firewall consoles
Developer Tools	Code repositories, CI/CD tools, dependencies, containers
Mobile Devices	iPhones, Android devices, tablets
Printers and IoT	Printers, cameras, NVRs, door systems, smart office devices

Anything connected to company data or company operations belongs in scope.

# Step 3: Build the Patch Register

Create one tracker for patch status and vulnerabilities.

Field	What to Record
Asset or System	Name of system, device, application, or platform
Owner	Business owner and technical owner
System Type	Endpoint, server, SaaS, cloud, website, network device, database
Current Version	Installed operating system, firmware, software, or package version
Latest Available Version	Current vendor-supported version
Vulnerability ID	CVE, vendor advisory ID, scanner finding, or ticket ID
Severity	Critical, High, Medium, Low
Exploited in the Wild	Yes, No, or Unknown
Internet-Facing	Yes or No
Business Critical	Yes or No
Sensitive Data	Yes or No
Required Action	Patch, upgrade, mitigate, isolate, remove, replace, or accept exception
Due Date	Date remediation is required
Status	Open, in progress, patched, mitigated, exception, deferred
Verification	Scan result, version check, screenshot, ticket, or report
Notes	Downtime, compatibility, vendor dependency, business issue

A spreadsheet is acceptable for many SMEs. The important part is keeping the tracker alive.

# Step 4: Use Trusted Vulnerability Sources

Use trusted sources to know what matters.

Source	Link	Use
CISA Known Exploited Vulnerabilities Catalog	CISA KEV Catalog	Prioritize vulnerabilities already known to be exploited
CISA Cybersecurity Advisories	CISA Advisories	Track urgent public advisories and vendor-specific threats
NIST National Vulnerability Database	NVD	Look up CVEs, severity, references, and affected products
CVE.org	CVE.org	Identify official CVE records
FIRST EPSS	FIRST EPSS	Estimate likelihood that a vulnerability may be exploited
CVSS Calculator	NVD CVSS Calculator	Review technical severity scoring
CIS Control 7	CIS Continuous Vulnerability Management	Use as a control framework for vulnerability management
CISA CPG 2.0	CISA Cybersecurity Performance Goals 2.0	Baseline patch and vulnerability management expectations

Also monitor vendor advisories for key systems:

Vendor Area	Link
Microsoft Security Response Center	MSRC Update Guide
Apple Security Releases	Apple Security Releases
Google Cloud Security Bulletins	Google Cloud Security Bulletins
Google Workspace Updates	Google Workspace Updates
Cisco Security Advisories	Cisco Advisories
Fortinet PSIRT	Fortinet PSIRT
Palo Alto Networks Advisories	Palo Alto Networks Advisories
GitHub Advisory Database	GitHub Advisory Database
WordPress Security	WordPress Security Releases

Do not rely only on news articles. Use official advisories and scanner results for action.

# Step 5: Run Regular Vulnerability Scans

Use scanning to find missing patches, exposed services, weak versions, risky software, and known vulnerabilities.

Suggested scan frequency:

Asset Type	Minimum Frequency
Internet-facing systems	Weekly and after major changes
Critical servers	Weekly or monthly
Standard endpoints	Monthly
Network devices	Monthly or quarterly
Websites	Weekly or monthly
Cloud platforms	Monthly or continuous where possible
Developer dependencies	On every major change or pull request
SaaS platforms	Quarterly configuration and access review
Emergency scan	Immediately after urgent advisory affecting used technology

Scanning without remediation is not progress. Every scan must produce actions.

# Step 6: Prioritize What Must Be Fixed First

Do not patch only by severity score.

Prioritize using business and attacker context.

Priority Signal	Meaning
Known Exploited	Listed in CISA KEV or confirmed exploited in the wild
Internet-Facing	Exposed to the public internet
Critical Business System	Supports revenue, operations, finance, customer service, identity, or backups
Sensitive Data	Stores or accesses customer, employee, financial, credential, or confidential data
Exploit Available	Public exploit code or easy exploitation path exists
High Privilege Impact	Exploitation gives admin, root, domain, cloud, or system control
No Authentication Required	Attack can work without a valid login
Easy Automation	Attack can be performed at scale
Ransomware-Relevant	Used by ransomware groups or access brokers
Vendor Critical Advisory	Vendor marks issue as urgent or actively exploited

A “Critical” vulnerability on an unused internal test system may matter less than a “High” vulnerability on a public VPN or firewall.

# Step 7: Set Remediation Timelines

Create clear timelines.

Risk Level	Target Timeline
Emergency	24 to 72 hours
Critical	7 days
High	14 days
Medium	30 days
Low	60 to 90 days
Unsupported or End-of-Life	Replace, isolate, or remove under a defined plan

Use faster timelines for exploited, internet-facing, identity, backup, firewall, VPN, remote access, website, and business-critical systems.

Use written exceptions when a deadline cannot be met.

# Step 8: Create the Standard Patch Cycle

Run a normal monthly patch process.

Step	Action
Review	Check new vendor updates and scan findings
Prioritize	Mark emergency, critical, high, medium, and low items
Test	Apply to pilot systems where practical
Schedule	Set patch windows with business owners
Apply	Install updates or mitigations
Reboot	Restart systems where required
Verify	Confirm version, scan result, or configuration state
Record	Update the patch register
Report	Summarize open, fixed, overdue, and excepted items

A patch is not complete until it is verified.

# Step 9: Create an Emergency Patch Process

Some vulnerabilities cannot wait for the next monthly cycle.

Trigger the emergency process when:

Trigger	Example
Known exploited vulnerability	Vulnerability appears in CISA KEV
Internet-facing system affected	Firewall, VPN, website, mail gateway, remote access system
Ransomware activity reported	Vulnerability is being used in ransomware campaigns
Vendor says active exploitation	Advisory confirms active exploitation
Public exploit released	Working exploit code is available
Critical identity platform affected	Active Directory, Entra ID, SSO, MFA, VPN
Backup platform affected	Backup console, storage, or recovery system exposed
Customer or regulator requires action	Contract, insurance, or regulatory driver

Emergency patching must have a named owner, decision maker, communication path, and verification step.

# Step 10: Test Before Wide Rollout

Patches can break systems.

Test first where practical.

Test Area	What to Check
Login	Users can still sign in
Business Apps	Accounting, CRM, payroll, ERP, file storage, and web apps still work
Printing and Scanning	Office workflows still work where needed
VPN and Remote Access	Remote users can still connect
Email	Mail flow and authentication still work
Backup Agent	Backups still run
EDR or Antivirus	Security agent still works
Website	Website pages, forms, payment flows, and admin login still work
Database	Applications can still connect
Integrations	APIs, plugins, and automations still run

For emergency patches, testing may be shorter. Document what was tested.

# Step 11: Patch Endpoints

Patch laptops and desktops consistently.

Check:

Endpoint Area	Requirement
Operating System	Current and supported
Browser	Updated automatically
Office Applications	Updated
PDF Tools	Updated
Video Meeting Tools	Updated
Remote Access Tools	Updated
Security Agent	Updated
Device Drivers	Updated where security-relevant
Firmware	Updated where needed
Reboot Status	Reboots completed
Unsupported Software	Removed
Old Versions	Removed

Endpoints that never reboot often remain unpatched.

Track reboot compliance.

# Step 12: Patch Servers

Servers need coordinated patching.

Check:

Server Area	Requirement
Operating System	Supported and patched
Server Applications	Updated
Database Software	Updated
Web Server	Updated
Runtime Environments	Java, .NET, PHP, Python, Node.js, OpenSSL
Backup Agent	Updated
Security Agent	Updated
Remote Access Services	Updated
Reboot Plan	Scheduled and approved
Snapshot or Backup	Confirmed before major changes
Rollback Plan	Defined before critical updates
Verification	Version check or vulnerability scan after patching

Servers that cannot be patched quickly need compensating controls.

# Step 13: Patch Network and Edge Devices

Firewalls, VPN appliances, routers, switches, Wi-Fi controllers, and remote access gateways are high-value targets.

Check:

Device Area	Requirement
Firmware	Current and supported
VPN Software	Updated
Management Interface	Not exposed to the internet unless explicitly approved
Admin Accounts	Reviewed
MFA	Enabled where available
Configuration Backup	Taken before update
Vendor Advisory	Reviewed
End-of-Support Status	Checked
Reboot Window	Scheduled
Verification	Firmware version confirmed after update

Edge devices are commonly missed because they do not look like normal computers.

Do not ignore them.

# Step 14: Patch Websites and CMS Platforms

Public websites need a regular update process.

Check:

Website Area	Requirement
CMS Core	Updated
Plugins	Updated
Themes	Updated
Web Server	Updated
PHP or Runtime	Supported and updated
Database	Supported and updated
Hosting Panel	Updated
Admin Users	Reviewed
Backup	Taken before updates
Staging Test	Used where practical
Security Scan	Run after major update
Unused Plugins	Removed
Unsupported Themes	Removed

A vulnerable website can become a foothold, spam source, malware host, or data leak.

# Step 15: Patch Cloud Systems and Containers

Cloud environments need patch visibility too.

Check:

Cloud Area	Requirement
Cloud VMs	Patched like servers
Managed Databases	Maintenance windows reviewed
Containers	Base images updated
Kubernetes	Cluster version and node versions supported
Serverless Dependencies	Runtime versions reviewed
Storage Tools	Client tools updated
Infrastructure as Code	Scanned for insecure versions and settings
Images	Rebuilt after critical base image updates
Secrets	Rotated if exposure is suspected
Public Exposure	Reviewed after major changes

Containers are not automatically safe because they are rebuilt often. Old base images can carry old vulnerabilities.

# Step 16: Patch Third-Party Applications

Many attacks target common business software.

Check:

Software Type	Examples
Browsers	Chrome, Edge, Firefox, Safari
PDF Tools	Adobe Reader, Foxit, PDF editors
Office Tools	Microsoft Office, LibreOffice
Meeting Tools	Zoom, Teams, Webex
Remote Tools	AnyDesk, TeamViewer, Splashtop, VPN clients
File Tools	7-Zip, WinRAR, compression tools
Developer Tools	Git, IDEs, SDKs, package managers
Java and Runtimes	Java, .NET, Node.js, Python, PHP
Security Tools	EDR, backup, VPN, password manager clients

Do not focus only on the operating system.

Third-party applications often create the easier path.

# Step 17: Manage Software Dependencies

Companies that build websites, applications, scripts, or internal tools need dependency management.

Check:

Dependency Area	Requirement
Package Files	package.json, requirements.txt, Gemfile, pom.xml, go.mod, composer.json
Dependency Scanning	Enabled
Pull Request Alerts	Enabled where available
Critical Library Updates	Prioritized
Abandoned Packages	Replaced
Vulnerable Containers	Rebuilt
Secrets	Scanned separately
Lockfiles	Maintained
CI/CD	Scans run during build or pull request
Exceptions	Documented

Developer dependency risk belongs in the patch process. A vulnerable library can expose the application even when servers are patched.

# Step 18: Handle Systems That Cannot Be Patched

Some systems cannot be patched immediately.

Record the reason and apply temporary protection.

Situation	Temporary Control
Vendor patch not available	Apply vendor mitigation or disable affected feature
Legacy system	Isolate network access and plan replacement
Patch breaks application	Apply compensating control and retest
Device out of support	Replace or isolate
Business cannot accept downtime	Schedule approved emergency window
Unsupported SaaS limitation	Restrict access and escalate to vendor
Vulnerable public service	Remove from internet exposure if possible

Unpatched systems must not disappear from the register.

They need owners, due dates, and compensating controls.

# Step 19: Verify Remediation

Do not close a vulnerability because someone says it was patched.

Verify it.

Verification Method	Example
Version Check	Confirm installed version
Vulnerability Rescan	Scanner no longer detects the issue
Configuration Check	Mitigation setting confirmed
Vendor Console	Patch status confirmed
Endpoint Report	Device shows compliant
Command Output	OS, package, or firmware version checked
Website Scan	CMS, headers, TLS, or plugin issue no longer detected
Ticket Evidence	Screenshot, log, or report attached

Close the issue only after verification.

# Step 20: Track Exceptions

Exceptions are allowed only when they are documented.

Exception Field	What to Record
Vulnerability	CVE, advisory, or finding
Affected System	System or asset name
Reason	Compatibility, vendor issue, business constraint, legacy system
Business Owner	Person accepting the risk
Technical Owner	Person managing mitigation
Compensating Control	Isolation, firewall rule, access restriction, monitoring, disabled feature
Expiration Date	Date exception must be reviewed
Approval	Manager or executive approving exception
Review Result	Renewed, fixed, replaced, or removed

An exception with no expiration date is not an exception. It is unmanaged risk.

# Step 21: Remove End-of-Life Systems

End-of-life software and devices are a security problem.

Track:

End-of-Life Item	Required Action
Unsupported operating system	Upgrade or replace
Unsupported server	Replace or isolate temporarily
Unsupported firewall or VPN	Replace
Unsupported website runtime	Upgrade
Unsupported database	Upgrade or migrate
Unsupported application	Replace or remove
Unsupported mobile device	Remove from company access
Unsupported plugin or theme	Remove or replace

Do not keep unsupported systems connected because they are “still working.”

Working is not the same as safe.

# Step 22: Report Progress

Create a simple monthly report.

Include:

Metric	Meaning
Critical vulnerabilities open	Count still unresolved
High vulnerabilities open	Count still unresolved
Overdue vulnerabilities	Count past due date
Internet-facing open issues	Public exposure still unresolved
KEV-related findings	Known exploited vulnerabilities present
Patch compliance	Percentage of systems current
Failed patch jobs	Systems where updates failed
Exceptions	Active risk acceptances
End-of-life systems	Unsupported systems still present
Mean time to remediate	Average time to fix by severity

Leadership does not need every scanner detail. They need to know whether dangerous exposure is going down.

# Step 23: Review the Process Regularly

Review the patch process at least quarterly.

Check:

Review Area	Question
Scope	Are all important systems included?
Coverage	Are laptops, servers, SaaS, cloud, websites, and network devices covered?
Timelines	Are critical and high issues fixed on time?
Exceptions	Are exceptions still valid?
Tools	Are scanners and patch tools working?
Evidence	Can the company prove patches were applied?
Owners	Are system owners still correct?
EOL Systems	Are unsupported systems being removed?
Emergency Process	Did urgent patching work when needed?

Patch management gets weaker when nobody checks the process.

# Places Commonly Missed

Missed Area	What to Check
Firewalls and VPNs	Firmware, advisories, admin exposure, remote access bugs
Routers and Switches	Firmware and management access
Wi-Fi Controllers	Firmware, old admin accounts, guest network settings
Printers and Scanners	Firmware, default passwords, exposed admin pages
Website Plugins	WordPress, Drupal, Joomla, Shopify apps, CMS extensions
Website Runtime	PHP, Node.js, Java, Python, Ruby, .NET
Database Software	MySQL, PostgreSQL, SQL Server, MongoDB, Redis
Backup Software	Backup console, agents, storage appliances
Security Tools	EDR, antivirus, firewall manager, vulnerability scanner
Remote Support Tools	AnyDesk, TeamViewer, Splashtop, RMM agents
Browsers	Chrome, Edge, Firefox, Safari
PDF and Archive Tools	Adobe Reader, Foxit, 7-Zip, WinRAR
Developer Tools	Git, IDEs, SDKs, CI/CD runners
Code Dependencies	npm, pip, Maven, NuGet, Composer, Go modules
Containers	Base images, Kubernetes nodes, cluster versions
SaaS Platforms	Admin settings, connected apps, integrations
Domain Registrar	Admin portal security and DNS control
DNS Provider	API tokens, old records, admin access
Endpoints That Never Reboot	Patches downloaded but not installed
Former Employee Devices	Lost patch visibility
Shadow IT	Apps bought directly by departments

# Recommended Tools and Resources

Tool or Resource	Link	Type	Best Use
CISA KEV Catalog	CISA KEV Catalog	Free resource	Prioritizing vulnerabilities known to be exploited
NVD	NVD	Free resource	CVE research, CVSS scores, affected products, references
FIRST EPSS	EPSS	Free resource	Exploit likelihood scoring
CVE.org	CVE.org	Free resource	Official CVE records
Greenbone Community Edition	Greenbone Community Edition	Open-source	Network vulnerability scanning
Nmap	Nmap	Open-source	Finding open ports, exposed services, and basic service versions
Nuclei	Nuclei	Open-source	Fast vulnerability and exposure scanning using templates
Wazuh	Wazuh	Open-source	Endpoint visibility, vulnerability detection, configuration monitoring
osquery	osquery	Open-source	Query endpoint state, software versions, and configuration
Lynis	Lynis	Open-source	Linux, macOS, and Unix security auditing
OpenSCAP	OpenSCAP	Open-source	Compliance and vulnerability checks using SCAP content
Trivy	Trivy	Open-source	Vulnerability scanning for containers, filesystems, repositories, IaC, and dependencies
Grype	Grype	Open-source	Vulnerability scanning for container images and filesystems
Syft	Syft	Open-source	Software bill of materials generation
OWASP Dependency-Check	OWASP Dependency-Check	Open-source	Dependency vulnerability scanning
Renovate	Renovate	Open-source	Automated dependency update pull requests
Dependabot	Dependabot	Free or included with GitHub	Dependency alerts and automated update pull requests
pip-audit	pip-audit	Open-source	Python dependency vulnerability scanning
npm audit	npm audit	Included with npm	Node.js package vulnerability checks
Composer Audit	Composer Audit	Included with Composer	PHP dependency vulnerability checks
Microsoft Intune	Microsoft Intune	Commercial, often bundled	Endpoint update management and device compliance
Windows Update for Business	Windows Update for Business	Included with Windows business management	Windows update policy and rollout management
Windows Server Update Services	WSUS	Included with Windows Server	On-premises Microsoft patch management
Microsoft Defender Vulnerability Management	Microsoft Defender Vulnerability Management	Commercial	Vulnerability management for Microsoft endpoint environments
PDQ Deploy and Inventory	PDQ	Affordable commercial	Windows software deployment, patching, and inventory
Action1	Action1	Free tier and commercial	Remote patch management and endpoint control
ManageEngine Patch Manager Plus	Patch Manager Plus	Commercial with free edition options	Patch management for Windows, macOS, Linux, and third-party apps
Chocolatey	Chocolatey	Free and commercial	Windows package management and software updates
winget	Windows Package Manager	Free	Windows software installation and updates
Homebrew	Homebrew	Open-source	macOS and Linux package management
WPScan	WPScan	Free and commercial options	WordPress vulnerability scanning
SSL Labs Server Test	SSL Labs SSL Test	Free	TLS and HTTPS configuration testing
Security Headers	Security Headers	Free	Website security header checks
Mozilla Observatory	Mozilla Observatory	Free	Website security configuration checks
Prowler	Prowler	Open-source and commercial	Cloud security assessment for AWS, Azure, Google Cloud, Kubernetes
ScoutSuite	ScoutSuite	Open-source	Cloud security posture assessment
Steampipe	Steampipe	Open-source	Query cloud, SaaS, and infrastructure configuration
Snipe-IT	Snipe-IT	Open-source and hosted	Asset tracking to support patch scope
GLPI	GLPI	Open-source	IT asset and service management

# Practical Tool Stack for SMEs

Company Type	Suggested Stack
Very Small Company	Microsoft 365 or Google Workspace admin reports, automatic updates, Excel or Google Sheets tracker, Nmap, Security Headers, SSL Labs
Microsoft-Based SME	Microsoft Intune, Windows Update for Business, Microsoft Defender Vulnerability Management, PDQ, Windows LAPS, Microsoft Secure Score
Google Workspace SME	Google Admin reports, endpoint management where available, third-party endpoint patch tool, website scanners, CISA KEV monitoring
Windows-Focused Company	PDQ Deploy and Inventory, Action1, ManageEngine Patch Manager Plus, Windows Update for Business, WSUS where needed
Linux or Self-Hosted Company	Greenbone, Wazuh, Lynis, OpenSCAP, Ansible, Nmap, Trivy
Website-Heavy Company	WPScan, Nuclei, SSL Labs, Security Headers, Mozilla Observatory, CMS vendor advisories
Developer or Software Company	Dependabot, Renovate, OWASP Dependency-Check, Trivy, Grype, Syft, pip-audit, npm audit
Cloud-Heavy Company	Prowler, ScoutSuite, Steampipe, Trivy, cloud-native security tools

# Vulnerability and Patch Management Register Template

Field	What to Record
Finding ID	Scanner ID, CVE, vendor advisory, or ticket
System	Affected system or asset
Owner	Technical owner and business owner
Vulnerability	Short description
Severity	Critical, High, Medium, Low
Exploited	Yes, No, Unknown
Internet-Facing	Yes or No
Business Critical	Yes or No
Sensitive Data	Yes or No
Required Action	Patch, upgrade, mitigate, isolate, replace, remove, or exception
Due Date	Required completion date
Status	Open, in progress, complete, exception, deferred
Verification	Evidence that fix worked
Exception	Yes or no
Notes	Compatibility, downtime, vendor support, business impact

# Expected Outputs from This Section

At the end of this section, the company should have:

A named vulnerability and patch management owner.
A defined scope of systems covered.
A vulnerability and patch register.
Trusted vulnerability sources.
A regular scanning schedule.
A prioritization method based on exploitation, exposure, business criticality, and severity.
A standard monthly patch cycle.
An emergency patch process.
Documented remediation timelines.
Patch coverage for endpoints, servers, network devices, websites, cloud systems, SaaS tools, and third-party applications.
Dependency scanning for code and software projects where applicable.
A process for systems that cannot be patched.
Verification evidence for completed fixes.
An exception register.
An end-of-life system list.
A monthly patch status report.
A quarterly review process.

# Objectives

Do not measure patch management by effort - measure it by closed exposure.

A company should leave this section able to say:

“We know which vulnerabilities affect us, which systems are exposed, what must be fixed first, who owns the fix, when it is due, and how we proved it was remediated.”