teissTalk: Surviving a critical CVE - a high-impact playbook

On 19 June 2025, teissTalk host Jonathan Craven, was joined by Tiago Rosado, Chief Information Security Officer, Asite; Cameron Brown, Head of Cyber Threat and Risk Analytics, Ariel Re; and York von Eichel-Streiber, Product Marketing Manager, NinjaOne.

Views on news

Google has released an emergency security update to fix the third Chrome zero-day vulnerability exploited in attacks since the start of the year. This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine, reported by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group. Google has a project zero, which keeps track of their own vulnerabilities – an exercise that other providers might not have. With the right tools, the automated patching of these vulnerabilities are fairly straightforward, and it should be table stakes. Although thre zero day exploits in 2025 may sound a lot, Microsoft had five of those within a month, which suggests that this is a growing problem. The vulnerability has also been added to CISA’s known exploited vulnerability  catalogue. 

Prioritising risk and automating detection

Understanding what your critical assets are, i.e., what keeps the business going, is the first step as part of risk-based prioritisation. Businesses can rely on EPSS (Exploit Prediction Scoring System) and the common vulnerability scoring system (CVSS) to calculate the risk of a vulnerability. If it’s infrastructure or software vulnerabilities, the easiest way toto go around that is patching them. When it comes to software development and libraries, things get more complicated. Identifying your crown jewels is easier said than done, as asset management can get rather challenging.  Another issue can be the inclusion of legacy infrastructure in the security posture. When dealing with a critical CVE, the most common single point of failure are detection and execution. Having said that, it’s the creation of vulnerabilities where the root cause of all problems lies. But delays in the communication between the cybersecurity team and the IT department can also affect the efficiency of patching considerably, where even the most critical vulnerabilities don’t get prioritised. To ease the tension between security and IT teams, it’s a good idea to start a conversation about how processes could be streamlined. If security is incorporated already into the design phase, the software will be much more resilient, and it will lead to cost reductions as well. 

When communicating about vulnerabilities with the board, risks must be translated into money and costs. If an incident does happen, it’s a good opportunity to point out to the board which critical vulnerability was leveraged and why it’s key to remediate it. SMEs usually underestimate the likelihood of a cyber-attack against them. However, according to a survey, 60% of start-ups will experience a ransomware attack in their first two years. Autonomous endpoint management, where AI flags vulnerabilities automatically can free up people’s time who do the operational patching. The more mature a company’s technology stack is, the less work automation will involve. When taking out cyber insurance, patching cadences and micro-segmentation are key criteria, as well as backups. 

The panel’s advice

• A multi-layer approach to security is always better than having a single point of failure.
• In 2024, there were 40,000 new vulnerabilities, of which 768 were exploited.  
• If you can’t patch up immediately, put mitigation controls in place, such as the one automating the creation of WAF rules, which don’t allow a specific web application or a library to be exploited.
• Data protection and security may give you competitive advantage over other suppliers as less secure software providers are being removed from suppliers’ list.