Sign in Subscribe
By E. Kohler in security —

The 48-Hour Rule: Why Monthly Patch Cycles Are a Liability

Three products, three vendors, one pattern: exploited within days of disclosure. If your patch cycle is still monthly, you're not managing risk. You're hoping.

The 48-Hour Rule: Why Monthly Patch Cycles Are a Liability

Three different products. Three different vendors. One pattern: exploited within days of disclosure. If your patch cycle is still monthly, you're not managing risk. You're hoping.

What happened this week

Between mid-January and mid-February 2026, three unrelated vulnerabilities followed the same trajectory:

BeyondTrust Remote Support (CVE-2026-1731, CVSS 9.9) - A pre-authentication RCE via WebSocket command injection. BeyondTrust disclosed on February 6. By February 10, multiple proof-of-concept exploits were public. Attackers were already creating domain admin accounts, installing backdoors, and dumping credentials from password vaults. The exploit requires zero authentication and low complexity. Just a GET request, a WebSocket connection, and a crafted payload.

Roundcube Webmail (CVE-2025-49113, CVSS 9.9) - A deserialization flaw in the file upload handler. Patched in June 2025. By the time CISA added it to the KEV catalog on February 20, 2026, over 84,000 instances were still vulnerable. Exploit code appeared within days of the patch. Eight months later, tens of thousands of servers remain exposed. Roundcube is a favorite target of APT28 and Winter Vivern, and CISA now tracks more than 10 exploited Roundcube flaws.

Microsoft Configuration Manager (CVE-2024-43468, CVSS 9.8) - An unauthenticated SQL injection in SCCM's MP_Location service. Microsoft patched it in October 2024 and assessed exploitation as "less likely." Synacktiv published a PoC in November 2024. Microsoft was wrong. CISA confirmed active exploitation in February 2026, over a year after the patch, linking it to ransomware campaigns using lateral movement through SCCM infrastructure.

The pattern

All three share a structure that has become disturbingly normal:

  1. Vendor patches vulnerability
  2. PoC drops within days to weeks
  3. Mass scanning starts immediately
  4. Organizations that patch monthly (or quarterly) get caught in the window

The window between "patch available" and "actively exploited" used to be measured in months. Now it's measured in days. Sometimes hours. In the BeyondTrust case, cloud customers were auto-patched before the advisory even went public. Self-hosted customers had to act manually, and many didn't.

Why monthly patch cycles don't work anymore

I've sat in enough change advisory board meetings to know the argument: "We can't patch everything immediately. We need to test. We need change windows. We need approval."

Fair. But here's the math. If your patch cycle is 30 days, and the average time-to-exploit is under 7 days, you're operating with a 23-day gap where known, weaponized exploits exist in your environment. That's not a risk you're managing. That's a risk you're accepting without saying it out loud.

The question isn't whether you can patch everything in 48 hours. You can't. The question is whether you can identify and prioritize the ones that matter in 48 hours. And for that, you need three things:

  1. Asset inventory that's actually current. You can't patch what you don't know exists. That Roundcube instance someone set up in 2019? It's still running. You just forgot about it.
  2. A fast lane for critical patches. Not everything goes through the full change process. CVSS 9.0+ with a public PoC gets an emergency window. Period. If your change process can't accommodate that, your change process is the vulnerability.
  3. Monitoring for exploitation signals. CISA KEV is free. Subscribe. If something lands on KEV, it's not theoretical anymore. Someone is actively using it right now.

The uncomfortable truth about SCCM

The Configuration Manager case is particularly painful because SCCM is infrastructure. It's the tool you use to deploy patches to everything else. When your patch management system is the attack vector, you have a recursion problem that no process document solves.

Microsoft rated it "less likely" to be exploited. A month later, there was a public PoC. A year later, ransomware groups were using it for lateral movement. "Less likely" is not "won't happen." And in security, the distance between those two is measured in incidents.

What I'd do

If you take one thing from this: build a 48-hour response capability for critical vulnerabilities. Not for everything. Just for the ones where CVSS is 9.0+, a PoC exists, or CISA adds it to KEV.

That means:

  • Someone monitors advisories daily (or better, gets automated alerts)
  • You have a pre-approved emergency change process that doesn't require a committee meeting
  • Your asset inventory covers the forgotten things, not just the managed ones
  • You test your ability to deploy an emergency patch at least once a quarter

The 48-hour rule isn't a standard. It's not in any framework. It's just the reality of how fast things move now. Adjust or accept the gap. But at least be honest about which one you're choosing.

Previous

Why I Started Building AEGIS (and What Bureaucracy Taught Me About Blame)

 Next

How I Run an Autonomous AI Assistant Without Losing Control

You might also like...