Introduction
In this article, I will provide a detailed overview of Vulnerability Management (VM), describe what it is, why it’s vital to your organisation, the intricacies involved and conclude with how you can help implement a good VM strategy.
What is Vulnerability Management?
Vulnerability Management is the consistent and ongoing process of identifying, evaluating and tackling vulnerabilities of any kind across an organisation; the goal of VM is to prevent systems from being accessed illegally through means of exploiting a vulnerability.
Finding vulnerabilities is important not only to prevent the business from legal repercussions (ranging from fines, investigations and legal battles), but also to prevent marring the company’s reputation.
Are there any recent examples where better Vulnerability Management could have helped?
Taking the recent example of the M&S cyberattack, they failed to address the vulnerability of their staff being susceptible to social engineering attacks, leading to mass data theft and ransomware infecting their systems. This has affected their reputation, with most stores having bare shelves due to lack of stock, and led to an estimated £300 million loss in their profits this year – these can be the consequences when there are gaps in your cyber security strategy.
Why is Vulnerability Management so important?
It is especially important to companies like Mondas in order for us to firstly practice what we preach, but also to set a good example to other organisations that may be considering or reconsidering their current approach to VM. To comply with important certifications such as Cyber Essentials (Plus), organisations have 14 days to respond to a critical vulnerability and install a patch – essentially creating a culture of regular updates at a 2 week minimum time frame. Prioritisation of these vulnerabilities is vital for an organisation so that critical / high risk vulnerabilities are addressed first and foremost to avoid letting them slip under the radar.
How do I approach Vulnerability Management?
A good VM strategy is governed through various frameworks and certifications that are widely respected in the industry. The most notable VM framework is NIST – this stands for National Institute of Standards and Technology; this outlines how potential threats can be highlighted and responded to in an efficient manner.
NIST has a particularly clinical approach to vulnerability management in how it identifies and assesses vulnerabilities while advising what measures should be taken to mitigate the risk. For example, the University of Pittsburgh medical center implemented the NIST framework in around 2017. In 2023, they discovered a large-scale phishing attempt on their employees by using the Identify, Protect, Detect, Respond, and Recover model that NIST provides – this allowed them to swiftly remediate this vulnerability and avoid a catastrophe. This approach is based on industry standards and best practices to streamline the process of managing vulnerabilities.
There are also other frameworks, including OWASP, ISO/IEC 27001, CIS Controls and ENISA guidelines – these differ from each other to perform the function of managing vulnerabilities; the framework you choose is highly dependent on the area of the digital landscape you work in, and the scope of your organisation. Some certifications include:
- Cyber Essentials Plus, which shows other businesses that you take cybersecurity seriously – judged by an external investigator through vulnerability scans, internal testing, and user testing;
- CompTIA CySA+, which shows that an individual has an extensive knowledge of cybersecurity, with questions specifically pertaining to vulnerability management as well;
- SOC 2 (System and Organization Controls Type 2) focuses on CIA (Confidentiality, Integrity and Availability) of data – by handling data securely, the attack surface of your business is reduced significantly.
Benefits of these frameworks and certifications not only range from a more secure organisation to better client trust, but also increases your outreach and attractiveness to a potential client when they are made aware of the certifications you possess, and what qualities your business must adhere to as a result. If you need support in these areas you can find out more here.
Who works with Vulnerability Management, and who would initiate a scan?
Now that we’ve discussed what vulnerability management is, its relevance, and how it is governed, we can move onto who upkeeps vulnerability management. The job roles that would initiate a vulnerability scan vary depending on the use case. Some organisations, for example third party service providers like Mondas, would use a dedicated Vulnerability Assessment Analyst, or a Vulnerability Management Specialist, to perform this task. However, other organisations could have penetration testers performing vulnerability scans before they attempt to find a vulnerability in the organisation’s system – this would save the pentester time and effort if the scan picks up on a vulnerability. Additionally, a compliance officer could also initiate a vulnerability scan to ensure the organisation is compliant with its certifications and the law.
Mondas offer a Free Vulnerability Scan* to uncover potential weaknesses in your systems, giving you actionable insights to strengthen your defences. We also offer a 30-day trial for many of our services, allowing you to experience us first-hand.
I’ve done a Vulnerability Scan – I have 20 critical vulnerabilities, what should I do?
So after all of this information, you’ve decided to do a vulnerability scan and you’ve found several CVE (Common Vulnerabilities and Exposures) on your system. It’s good to know that they exist, but how do you act on these?
Remediation is a word used to refer to how you “action” on these vulnerabilities – it essentially means performing the steps necessary to get the system back into a fully operational state. Depending on the vulnerability, you will use a different approach to remediation. For example, a zero-day vulnerability on a Windows 11 computer’s remediation technique is going to be wildly different to an open port in a network. Typically a patching schedule is made – these remediations are usually actioned in line with the agreed schedule.
Which common Vulnerabilities are in the wild at the moment?
Some current CVEs that could affect you include:
- CVE-2025-43200 where products using Apple iOS, iPadOS, macOS, watchOS and visionOS “contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link”.
- CVE-2025-5419, a Google Chromium V8 Out-of-Bounds Read and Write Vulnerability. This is essentially a read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
These CVEs have been identified by trusted sources such as Tenable and cisa.gov, which are both useful tools for finding out more information about not only CVEs but also specific zero day vulnerabilities.
What tools can I use to improve the Vulnerability Management of my organisation?
Vulnerability Management is a very real topic with real-world applications. So let’s discuss some real-world examples and tools you can use for vulnerability scanning.
Qualys
A good tool for vulnerability scanning is Qualys. Not only does it provide vulnerability scans, but it also provides on-prem or cloud scans through its “Qualys Scanner Appliances” tool. They update their vulnerability database daily, to ensure they’re keeping up with as many known vulnerabilities as possible – thus increasing the effectiveness and relevance of the scan. Anything found is prioritised automatically and shown in a readable format for those who wish to analyse and come to an informed conclusion on what to remediate first and how to go about it.
Nexpose
Another good tool is Rapid7’s Nexpose. It works through providing an on-prem only scanning tool while also addressing the prioritisation in a different way – a risk score. This risk score, between 1 and 1000, provides more “actionable insight” into any vulnerabilities found, defining how to act against a high priority critical vulnerability as opposed to a lower priority vulnerability. I find this risk score really interesting, as it was not based on CVSS like most companies. As earlier mentioned, a CVE is a Common Vulnerability or Exposure – most CVSS (Common Vulnerability Scoring System) scores are reported based on CVEs, and are typically 1-10. However, Nexpose has their own new method of scoring, providing significantly higher accuracy through a more advanced risk score.
Finally, it provides remediation reporting, recommending various methods to tackle critical vulnerabilities that are picked up from the scan. This is beneficial because it provides quick solutions to an issue, which may prove useful in the case of a drastically critical vulnerability.
Nessus
A final tool for scanning is Tenable Nessus. Nessus has multiple plans, but I will explain both as part of its features. With Nessus, on-prem and limited cloud scans are available – with CVSS scoring and configurable reports to show a client or a user in an easy-to-understand format. In addition to these features, Nessus can also provide significantly more detailed cloud infrastructure scans, external attack surface scans, and web application scans. Although this is dependent on the plan purchased, no matter the plan, Tenable Nessus provides a good vulnerability scan with the ability to report on this in a manner that can be understood by both technical and non-technical audiences.
What is the importance of a robust Vulnerability Management strategy?
There have been many recent examples of companies that may have experienced trouble from not having a robust VM strategy in place. Looking at some of the lessons learnt from these companies is important to assess what improvements can be made to our own organisations; here, we will look at some of these examples:
Adidas
On May 27, 2025, Adidas disclosed that it had been breached through a third-party service provider. Significant amounts of customer data has been breached because of this and it is speculated that the cost could be anywhere between £100-400 million – but how could it have been prevented?
If Adidas had visibility across all vulnerabilities within their environment, and a robust patch management schedule to understand the attack surface and implement the relevant patches for themselves and their third party suppliers, the impact of the attack may have been reduced or prevented.
T-Mobile
Moving swiftly onto T-Mobile, who had a data breach in August 2021, the company ultimately received a fine of $15 million in 2024! One of the biggest fines imposed at the time.
In July of 2021, the threat actor was able to gain access to a T-Mobile GPRS gateway with a brute force attack, as there were no rules in place to prevent multiple login attempts. The threat actor was then able to move laterally on the network as there was no network segmentation. The result? 40 million current and former customers having their data stolen and advertised on the dark web.
Through their own admission, there were many vulnerabilities that T-Mobile failed to address – for example, a vulnerability scan could have revealed how a brute force attack was possible on their ssh login, and how there was a vast lack of network segmentation, and effective regular patch management may have addressed these vulnerabilities before they were able to be exploited.
Equifax
Lastly, I’d like to highlight the Equifax breach of 2017. This enormous data breach exposed roughly 147 million people’s personal data in the US, UK and Canada. It originated from a previously known vulnerability in the Apache Struts software (CVE-2017-5638) that Equifax was aware of but failed to patch – hackers took advantage of this vulnerability to expose incredibly sensitive data; for example, names, social security numbers, addresses, and in particularly severe cases even credit card information. This breach highlights the necessity of vulnerability scans and patch management, to ensure that there are no previously known vulnerabilities that are active for any hacker to come and take advantage of.
While these examples contain high profile breaches that were able to make public forums, there are hundreds, if not thousands of other organisations that are impacted due to not having the necessary vulnerability and patch management schedule in place. Many others have since learned from these mistakes and consequently ensured their own sufficient protective measures are in place.
How do I implement good Vulnerability Management into my organisation?
After everything that’s been highlighted here so far, I’d like to finish by advising that there is still hope, even if your organisation has nothing to do with vulnerability/patch management or any method of implementing vulnerability scans in place today.
To implement a vulnerability/patch management schedule, even if you have no cybersecurity measures in place today, you would first need to consider your assets. This can be internal or a third party can perform asset discovery, to allow you to know which devices are in your network, and categorise/prioritise these assets in terms of how “at risk” they are. Certain endpoints will have a lot more traffic than others, necessitating their protection, which will reduce the attack surface of your organisation once implemented. Once assets have been considered and prioritised, the provider you have chosen will complete regular vulnerability scans with results provided upon completion of the scan.
How do I deal with Vulnerabilities, once found?
Given the nature of vulnerabilities, each one will be different in how it is dealt with. For example, a critical vulnerability should be swiftly dealt with, as opposed to a minor vulnerability on something else that has a lower priority. Once this has been done for a first time with the provider, your organisation can remain in contact with the provider and work together to produce a schedule with times and dates that work for your organisation to perform scans, and provide feedback on how they report to personalise the next report to what you want to see. Complying with frameworks such as Cyber Essentials (Plus) is a great starting point, it is advisable to initiate a scan once every 14 days and deal with critical vulnerabilities as soon as they appear – patch management would come in handy for this routine schedule as well.
I hope this blog has been insightful to the dangers of unknown vulnerabilities and the importance of a patching schedule. If you have any questions, then don’t hesitate to reach out here.
* Our free initial assessment is available to clients who meet specific criteria. Get in touch to find out more.
