CTF Challenge #7: How Fast Can You Patch? The Vulnerability Triage Race
Difficulty: Intermediate | Reading time: 9 minutes | Product tie-in: Patch Management Playbook for Australian SMBs ($97)
TL;DR
- 60% of successful breaches exploit vulnerabilities for which a patch was already available [1]
- This challenge simulates a vulnerability disclosure week — your job is to triage and prioritise correctly
- Patching the wrong thing first (or patching everything at the same rate) is nearly as bad as not patching
- The lil.business Patch Management Playbook gives you the triage framework and schedule templates
The Scenario: The Tuesday Vulnerability Dump
It is Patch Tuesday. Six new CVEs have just been disclosed. You manage IT for a 35-person professional services firm. Your environment:
- 30 Windows 11 workstations
- 3 Windows Server 2022 servers (file server, domain controller, RDS/remote access)
- Microsoft 365 (Exchange Online + SharePoint)
- An on-premises VPN concentrator (Cisco ASA, 6 months since last update)
- A web application firewall (WAF) — internet-facing
- On-premises accounting software (legacy, unsupported)
- One Linux server running an internal HR web portal (internet-accessible from home)
You have one IT contractor who can deploy 2–3 hours of patching per day. You cannot patch everything at once. Every patch requires testing before production deployment because one bad patch killed your file server last year.
Six CVEs, One Challenge
Here are the six CVEs disclosed this Patch Tuesday. Your job: rank them in the order you will patch them, and answer the questions below.
| CVE | Component | CVSS | Description |
|---|---|---|---|
| CVE-A | Cisco ASA VPN | 9.8 Critical | Unauthenticated remote code execution via crafted HTTP request. PoC exploit publicly available. Actively exploited in the wild. |
| CVE-B | Windows 11 Kernel | 7.8 High | Local privilege escalation. Requires authenticated local access. No public exploit. |
| CVE-C | Linux kernel (HR portal) | 8.1 High | Remote code execution via authenticated web request. HR portal is internet-accessible. No public exploit yet. |
| CVE-D | Microsoft Word | 6.5 Medium | Macro-based code execution. Requires user to open a crafted .docx file. Macros are disabled in your environment. |
| CVE-E | Windows Server 2022 | 9.0 Critical | Remote code execution without authentication. Affects SMB protocol on the network. Internal network only — no internet exposure. No public exploit. |
| CVE-F | Legacy accounting software | 5.3 Medium | SQL injection in a report generation feature. Unsupported software — no patch available. Internal network only. |
Question 1: Priority Order
Rank the CVEs from highest to lowest patching priority (1 = patch first).
A) A, C, E, B, D, F
B) E, A, C, B, D, F
C) A, E, C, B, D, F
D) All are equally urgent because they are all disclosed on the same day
Question 2: The Cisco ASA Decision
CVE-A is a 9.8 CVSS, actively exploited, with a public PoC. Your VPN concentrator is your remote access gateway — 20 staff use it daily. The patch requires a 4-hour maintenance window with full VPN downtime.
What do you do TODAY (before the patch is tested)?
A) Wait for the patch to be tested — deploying untested patches is what broke the file server
B) Emergency patch immediately — active exploitation means the testing delay is a higher risk than the patch
C) Enable compensating controls immediately (restrict VPN access to known IPs, enable enhanced logging, notify the vendor) and test-patch within 24 hours — you cannot wait but you also cannot patch without any testing
D) Nothing until the vendor confirms the severity — CVSS scores are sometimes overestimated
Question 3: The No-Patch Available Problem (CVE-F)
The legacy accounting software has a SQL injection vulnerability. There is no patch. You cannot migrate off the software in the next 90 days.
What do you do?
A) Accept the risk — no patch means nothing you can do
B) Implement compensating controls: restrict database access to the accounting software user only, enable WAF rules to filter SQL injection patterns on any web-accessible interface, network-segment the accounting server, and document the risk formally for management approval [2]
C) Immediately decommission the software — unsupported software cannot be used
D) Ask the vendor to backport a patch from their newer version
Question 4: The Windows Server SMB Vulnerability (CVE-E)
CVE-E is a 9.0 CVSS on Windows Server 2022. However, it is only exploitable on the internal network — the SMB port is not exposed to the internet. Your office uses guest Wi-Fi on the same physical network as the server VLAN.
How does network exposure affect priority here?
A) CVSS 9.0 means patch immediately regardless of exposure
B) Internal-only access reduces real-world risk, but the guest Wi-Fi on the same network segment creates a plausible lateral movement path — treat as elevated priority and patch within 48–72 hours, not the standard one-month window [3]
C) Internal-only vulnerabilities are never a priority — patch within normal monthly cycle
D) Network segregation completely mitigates this — no patching needed until next scheduled cycle
Question 5: Patch Management Policy Requirements
Post-incident, your CTO asks you to draft a patch management policy. Which elements must a policy include to satisfy ASD Essential Eight requirements?
A) A schedule for patches — all patches within 30 days
B) A tiered patching schedule: critical/actively-exploited patches within 48 hours, high patches within 2 weeks, medium patches within one month, plus an asset inventory, testing procedure, exception handling process, and regular reporting to management [3]
C) Patches should be applied "as soon as practicable" — specific timeframes create unrealistic pressure
D) Any written patch policy satisfies the requirement regardless of the specific timeframes
Question 6: The Monitoring Gap
You patched CVE-A and CVE-C successfully. Two weeks later, your security monitoring shows an unusual process running on the HR portal server at 2 AM. You cannot tell if this is related to CVE-C exploitation before patching.
What is your first action?
A) Run a malware scan and wait for results
B) Check system logs for activity matching the CVE-C exploitation timeline — specifically look for web requests matching the authentication pattern in the CVE PoC, any new user account creation, or scheduled task modifications in the 3-day window before patching [4]
C) Rebuild the server — if there's any doubt, assume compromise
D) Alert management and wait for their decision — this is outside IT scope
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →The Answers
Answer 1: C — A, E, C, B, D, F
The correct order:
- CVE-A (Cisco ASA) — 9.8 CVSS, actively exploited, internet-facing, public PoC. This is an emergency.
- CVE-E (Windows Server SMB) — 9.0 CVSS, internal but guest Wi-Fi creates exposure vector. Critical and unpatched-dangerous.
- CVE-C (Linux HR portal) — 8.1 CVSS, internet-accessible, no public exploit yet — but "yet" can become "today." Authenticated requirement buys a little time; prioritise after A and E.
- CVE-B (Windows 11 local privesc) — 7.8 CVSS, requires local authenticated access. Lower real-world risk.
- CVE-D (Word macro) — 6.5 CVSS, but macros are disabled in your environment. Theoretical risk only.
- CVE-F (Legacy software) — No patch available. Mitigate with compensating controls.
Answer 2: C — Compensating controls today, tested patch within 24 hours
Pure "test everything before deploying" is a peacetime policy. Active exploitation of an internet-facing 9.8 CVSS vulnerability is not peacetime. The right answer is to immediately reduce the attack surface with compensating controls (IP restriction, enhanced logging) while running an expedited test — not overnight.
Answer 3: B — Compensating controls, network segmentation, formal documented risk
Decommissioning in 90 days is not realistic. "Accept the risk" is not a security posture. The correct answer is risk treatment: document the risk, get management approval, implement the maximum feasible compensating controls, and track it on a remediation timeline.
Answer 4: B — Treat as elevated priority; guest Wi-Fi is a lateral movement path
CVSS scores assume worst-case exposure. But network topology matters. The guest Wi-Fi co-located with the server VLAN is a real attack path — a compromised guest device (or a visitor with a USB stick) could reach the SMB port. This is not a low-priority item.
Answer 5: B — Tiered schedule with specific timeframes + full policy elements
"As soon as practicable" is not a policy — it is an aspiration. ASD Essential Eight Maturity Level 1 specifies concrete timeframes. A real patch management policy needs: tiered timelines, asset inventory, testing procedure, exception management, and management reporting.
Answer 6: B — Check logs for CVE-C exploitation indicators in the pre-patch window
Rebuilding immediately destroys forensic evidence. A malware scan may miss living-off-the-land techniques. The correct first step is log analysis focused on the specific CVE's exploitation indicators — what did an attacker need to do to exploit CVE-C, and do the logs show that pattern in the window before patching?
The Patch Management Discipline
Patching sounds simple. In practice it requires: a complete asset inventory, a tested patching procedure, a risk-tiered schedule, an exception management process, and the judgment to know when to break the rules for an emergency.
The lil.business Patch Management Playbook for Australian SMBs gives you all of this: ready-to-use policy templates, a CVE triage matrix, monthly patch cycle schedule, exception approval process, and board reporting template. Built for Essential Eight compliance and sized for a business without a dedicated security operations team.
$97 — Get the Patch Management Playbook
FAQ
ASD Essential Eight Maturity Level 1 requires: patches for internet-facing services with critical vulnerabilities within 48 hours when an exploit exists; other critical patches within one month. ML2 adds a 48-hour requirement for all critical OS patches and two-week requirement for high patches on internet-facing systems.
Patch management is the process of identifying, testing, and deploying software patches. Vulnerability management is broader — it includes discovering vulnerabilities (not just via patches but misconfigurations, design flaws, and unpatched systems), assessing their risk, and tracking remediation including compensating controls where patches aren't available.
When no patch exists, the response is compensating controls: network segmentation to reduce exposure, WAF rules to filter known exploitation patterns, enhanced monitoring for exploitation indicators, formal risk documentation with management approval, and tracking toward a longer-term remediation (migration, decommission, or vendor engagement).
Standard patches — yes, test first, typically 24–72 hours in a non-production environment. Emergency patches for actively exploited critical vulnerabilities — use a compressed testing cycle and implement compensating controls in the gap. The risk of a bad patch is real, but it is usually recoverable. The risk of active exploitation on an unpatched internet-facing system is often not.
References
[1] Ponemon Institute, "The Cost of Unpatched Systems 2025," Ponemon, 2025. [Online]. Available: https://www.ponemon.org
[2] NIST, "SP 800-40 Rev 4: Guide to Enterprise Patch Management Planning," NIST, 2022. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf
[3] Australian Signals Directorate, "Essential Eight Maturity Model," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
[4] CISA, "Known Exploited Vulnerabilities Catalog," CISA, 2024. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[5] Qualys, "2025 TruRisk Research Report," Qualys, 2025. [Online]. Available: https://www.qualys.com/research/
Know your patch priorities. The lil.business Patch Management Playbook for Australian SMBs — $97, instant download.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →