RC RANDOM CHAOS

The patch opens the attack window.

The Coming Loop is the collapsing gap between vulnerability disclosure and mass exploitation of internet-facing appliances - and why edge telemetry stays blind.

· 6 min read
The patch opens the attack window.

Mandiant put the 2023 median time-to-exploit at five days. In 2018 and 2019 it was sixty-three. The interval between a vulnerability becoming public and being weaponised at scale collapsed by an order of magnitude in five years. That collapse is the mechanism. Not any single CVE.

Call it the Coming Loop. Disclosure lands. A proof-of-concept follows within hours to days. Mass scanning starts before the first maintenance window closes. Patch deployment across an enterprise fleet takes weeks. Detection content for the specific technique lags the patch. The result is a repeating window in which the exploit exists, the fix is available, and neither is deployed. Attackers operate inside that window on purpose.

The enabling condition is asymmetry in cycle time. Disclosure is instantaneous and global. A CVE record, a vendor advisory, a source commit that reverts the vulnerable code path - all public the moment they publish. Patching is not instantaneous. It is gated by change control, maintenance windows, dependency regression testing, and the operational cost of taking a system offline. For internet-facing appliances such as VPN concentrators, file-transfer gateways, and load balancers, the gate is heaviest, because the device is load-bearing and rebooting it drops production connections. The CISA Known Exploited Vulnerabilities catalog exists precisely because this gap is measurable. Entries are added after in-the-wild exploitation is confirmed, which means the catalog is a record of windows that already opened.

The patch diff is itself an exploitation accelerant. When a vendor ships a fix, the delta between vulnerable and patched code names the bug. Bindiff the two binaries. The changed function is the sink. A bounds check that appears only in the patched build tells a researcher exactly where the overflow lived and what input reaches it. N-day development from a patch diff is faster than zero-day research by construction. The hard part, finding the bug, is already done and already published. The vendor’s transparency becomes the attacker’s specification.

The exploit path is consistent. Target class is the unauthenticated pre-auth RCE or the authentication bypass on a public-facing service. MITRE T1190, exploit public-facing application. The attacker needs no foothold, no credentials, no phish. The service is reachable from the internet and the flaw sits in the request-handling path before authentication runs.

The shape is visible in real cases. CVE-2023-34362, MOVEit Transfer, a SQL injection in a pre-auth HTTP handler, CVSS 9.8. Cl0p had a working chain staged before disclosure and reached more than 2,700 organisations in weeks. CVE-2024-3400, PAN-OS GlobalProtect, command injection through a crafted session cookie, CVSS 10.0, exploited as a zero-day and then mass-exploited once the request format was public. CVE-2023-4966, Citrix Bleed, an out-of-bounds read that leaked session tokens from appliance memory, CVSS 9.4. That token leak bypassed MFA because the stolen token replayed an already-authenticated session. CVE-2024-1709, ConnectWise ScreenConnect, an authentication bypass via path traversal in the setup wizard, CVSS 10.0, moved from PoC to mass exploitation in under forty-eight hours.

The pattern across all four is identical. Pre-auth or auth-bypass. Public-facing. Trivial to trigger once the request is understood. High privilege on success, because these are administrative appliances that sit at the trust boundary. The vulnerability class varies across SQL injection, command injection, out-of-bounds read, and path traversal. The position in the network does not.

Weaponisation is industrialised because the window is short. Scanning fleets fingerprint the vulnerable version banner and the response signature of the affected endpoint. Mass-exploitation frameworks carry the payload and the post-exploitation dropper. The first movers are ransomware affiliates and initial-access brokers who convert exploitation into a foothold and either sell it or detonate it. Cl0p’s MOVEit run was extortion at scale with no encryption stage, exfiltration only. Ivanti Connect Secure, CVE-2023-46805 and CVE-2024-21887 chained into auth bypass plus command injection, drew both state-nexus actors and commodity crews inside the same window. The vulnerability is a shared resource. Everyone who can read the advisory is a participant, and the advisory reaches all of them at once.

Telemetry is where the loop wins. The exploited devices are edge appliances, and edge appliances do not run EDR. There is no Sysmon on a Citrix NetScaler. There is no Defender agent on a PAN-OS firewall. There is no telemetry sensor on a MOVEit gateway. The stack that produces process-creation events, LSASS-access alerts, and parent-child anomalies is absent on exactly the systems the Coming Loop targets. The blind spot is structural. It is a property of appliance architecture, not a misconfiguration a team forgot to fix.

What exists on those devices is network and application log. Pre-auth exploitation of a web-facing service produces HTTP requests. Those requests reach WAF and reverse-proxy logs only if logging is enabled at request-body granularity, which on high-throughput edge devices it frequently is not, because full-body capture is expensive. A webshell dropped after exploitation writes a new file to the appliance and, on later use, generates request traffic to a path that did not exist the day before. Command-and-control from a compromised appliance produces NetFlow. A firewall or gateway initiating outbound connections to a host it has never contacted is signal, but only if egress from the DMZ is baselined. Most egress from the DMZ is not baselined, because the assumption is that traffic flows inbound to those devices, not outbound from them.

What does not fire is the endpoint alert defenders are trained to chase. No malicious process on a monitored host. No credential-dumping event in Windows Security logs. The first observable in many of these intrusions is lateral movement inland from the appliance. That is one hop too late. By the time an internal host logs an anomalous authentication from the appliance’s address, the foothold is established and the device is already trusted by the internal network. The appliance is inside the perimeter it was bought to defend.

Detection content lags the patch because detection is written against observed exploitation, not against the advisory. A Sigma rule or a WAF signature for a specific injection string requires someone to capture live exploitation traffic, extract the indicator, validate it against false positives, and publish it. That sequence completes after in-the-wild use, not before. So the detection curve trails the exploitation curve, and the exploitation curve trails disclosure by days. Three curves, staggered. The distance between them is the operating window, and the window is measured in the same units as the median time-to-exploit.

The patch boundary is not the end of exposure. A patched appliance that was compromised during the window is still compromised. The webshell, the planted local account, and the harvested session token persist through the update. Citrix Bleed made this explicit. Applying the fix for CVE-2023-4966 closed the memory leak but did not invalidate tokens already stolen from appliance memory. Session termination was a separate, mandatory remediation step, and it was widely skipped, so attackers replayed valid sessions against fully patched devices. Post-patch residual exposure is the default assumption for any device that was internet-reachable during a mass-exploitation event, not an edge case.

The Coming Loop is not a vulnerability to be fixed. It is a timing property of a disclosure system optimised for transparency running against a deployment system constrained by operations. The interval will not close, because the two halves are governed by different physics. Publication is free. Patching is expensive. Under the SOCI Act, critical infrastructure operators in Australia carry mandatory incident reporting on this exact class of edge compromise, and the reportable event frequently predates any endpoint alert the SOC would normally trust. The defensible position follows from the mechanism. Treat every internet-facing appliance as exploitable within days of the next advisory. Log egress from the DMZ as if the appliance is already hostile. Escalate suspected edge compromise to the incident team, not the patch queue. Active exploitation of a public-facing device is an incident, not a maintenance ticket. Route it accordingly.


#ad Contains an affiliate link.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.