In October 2023, Citrix published a patch for a vulnerability in their NetScaler product. The flaw, eventually nicknamed Citrix Bleed, let attackers bypass authentication on systems that hadn’t been updated. Organizations that were running NetScaler had about a month between the patch announcement and mass exploitation.
By December, LockBit ransomware affiliates had breached Boeing, the Industrial and Commercial Bank of China, Comcast/Xfinity, DP World, and Allen & Overy through Citrix Bleed. The CISA advisory on the campaign documented over a dozen named victims, almost all of them organizations with entire security teams, patching policies, and budgets significantly larger than your firm’s. They still hadn’t patched the thing that was on fire.
This happens every quarter. A vulnerability gets published. A patch gets released. Attackers start mass-scanning the internet for unpatched systems. Organizations that patched quickly are fine. Organizations that didn’t, aren’t.
Why patching is actually hard
The naive answer is that firms should “just patch their systems.” The reason that doesn’t happen isn’t that IT is lazy. It’s that patching production systems is genuinely hard, and it’s harder than it sounds.
Every patch carries risk. A patch might break an application. A patch might require a reboot, which takes the system offline during the reboot window. A patch might need to be tested against custom software before you can deploy it. A patch might depend on another patch being installed first. A patch might fix a vulnerability that doesn’t matter to you while not addressing one that does.
For a small firm, the practical reality is that patches pile up faster than anyone reviews them, and “we’ll patch this weekend” becomes “we’ll patch next weekend” becomes “we’ll patch when we have time.” Eventually the patching backlog is measured in months. That’s a normal state for a lot of small firms, and it’s also how firms get breached through vulnerabilities that had patches available for half a year.
The CISA Known Exploited Vulnerabilities catalog is a running list of vulnerabilities that attackers are actively using right now. As of early 2026 it’s over a thousand entries long, and new ones are added every week. Many of those vulnerabilities had patches available long before they showed up in active exploitation. The patches were there. Nobody installed them.
What matters for your firm
You don’t need to patch everything instantly. You need to patch the things attackers are actually using.
CISA’s KEV catalog is the starting point. When a vulnerability gets added to that list, it means the patching clock has already started and attackers are scanning for it. Federal agencies are required to patch KEV vulnerabilities within specific timeframes. Your firm should effectively adopt the same discipline for anything in your environment that shows up on the list.
The practical pattern for a small firm is:
Your IT provider should be subscribed to CISA’s KEV email alerts. When a new vulnerability gets added, they should check whether your firm has any affected systems. If yes, they should patch those systems within days, not weeks. If no, they should document that they checked. This is not exotic work, and it doesn’t require any new tools. It just requires discipline.
For systems that can’t be patched immediately because of application compatibility concerns, there should be a compensating control. Maybe the vulnerable system gets taken off the internet temporarily. Maybe it gets segmented behind additional controls. Maybe it gets more intense monitoring while the patch is being tested. The answer is never “leave the vulnerable system exposed and hope.”
The stuff that’s currently on fire
Different categories of systems require different levels of urgency:
Internet-facing systems that accept logins or traffic from the public internet need to be patched fastest. Firewalls, VPNs, remote access gateways, webmail, any cloud service you self-host. These are where attackers look first. Patch within days of a critical CVE. Ideally before.
Workstations and servers inside your firm are slightly less urgent but still important. Windows patches, browser patches, Microsoft Office, PDF readers. The monthly Patch Tuesday cycle covers most of this. Firms that are more than about two months behind on Patch Tuesday are running meaningfully elevated risk.
Phones and tablets get forgotten. Both iOS and Android issue security updates regularly, and users often skip them because rebooting feels inconvenient. Firm devices should be configured to force updates within a defined window. Personal devices used for work should be on a policy requiring the latest OS version.
Third-party software is where the hidden stuff lives. Your practice management tool. Your accounting software. Your legal research tools. Your document management system. Your backup software. Each of these releases security updates that aren’t part of Microsoft’s Patch Tuesday. Your IT provider needs a list of every critical third-party application in your environment and a process for tracking updates. Most don’t have this list, which is why patches for these tools routinely get missed.
The NIST guide to vulnerability management, SP 800-40, walks through the full program. For a small firm, you don’t need the whole thing. You need someone tracking vulnerabilities against your environment and patching them on a defensible schedule.
What to ask your IT provider
Two questions.
First, what’s your patching cadence for critical vulnerabilities, and specifically for anything on CISA’s KEV list? If the answer is vague (“we stay on top of it”), press for specifics. If the answer is “we review monthly,” that’s not good enough for KEV.
Second, can you show me the patching status of every internet-facing system at our firm? If they can’t produce a report, they don’t actually know. And if they don’t know, an attacker is going to find out for them eventually, the way LockBit found out about every unpatched Citrix server in late 2023.
Boeing had a bigger security budget than you do, and they got breached through an unpatched system. The lesson isn’t that patching is impossible. The lesson is that patching is a choice that has to be made deliberately, every week, and “we’ll do it later” is a choice too.