Vulnerability management has long been a critical aspect of cybersecurity; however, as vulnerabilities continue to evolve, ASPM becomes more critical, and threat actors become more sophisticated, cybersecurity teams must adapt their strategies to stay ahead of increasingly sophisticated threats.
Agentic AI for threat-centric analysis is a cool term, but how does it apply to real-life scenarios? I’ve taken a few real case studies for vulnerabilities that have high threat profiles, like memory corruption or remote code execution.
The Growing Threat of Exploited Vulnerabilities
Over the past several years, enterprises and SME have faced a significant increase in vulnerability exploitation, particularly those that allow for remote code execution (RCE) or memory corruption.
According to the Verizon Data Breach Report (DBR), exploitation remains one of the primary drivers of data breaches, with threat actors continuously evolving their methods to exploit weaknesses in software.
The Mandian M Trend report further confirms that exploitation is often the main contributor to security incidents, driving the need for a more proactive approach to vulnerability management.
We all know about the recent vulnerability database (NVD) collapse, with analysis of vulnerabilities lagging behind
Phoenix Security analysis over time of the NVD Backlog
This is where the threat-centric approach truly shines. Rather than merely reacting to vulnerabilities, organizations must understand the motivations and techniques of the threat actors who target them. For instance, vulnerabilities that allow for unauthenticated remote code execution, like those seen in the Citrix ADC or MOVEit Transfer breaches, should be treated with the highest level of urgency. These types of flaws are not just theoretical—they have been repeatedly exploited in real-world attacks, including by high-profile ransomware groups like LockBit and Clop. Moreover, as the graph below confirms, the phishing attack techniques decrease while the exploitation of vulnerabilities has kept a steady> 30%
Agentic AI in ASPM: A Threat-Centric Approach to Ransomware
Agentic AI is undubitaly changing vulnerability management, with many vendors using the word as an alternative for chatbot, a real application like the threat-centric lens to vulnerability analysis. This advanced AI model can sift through massive amounts of data, identify exploitation trends, and predict which vulnerabilities are most likely to be targeted by threat actors. Combined with exposure and reachability analysis, this creates a more effective vulnerability management framework (see below, Phoenix Security ASPM).
An alternative method when data source are lagging behind or a secondary dimension of analysis that we have studied in the threat-centric approach, and illustrated with the model below: are there clear indicators of exploitation of vulnerabilities and is there a high percentage of those threats that get exploited in specific attacks (ransomware, zero day)
We can break down the analysis into two segments:
- Threats and attacks with active exploitation (where CTI and other sources of intelligence give real exploitation like in the case of moveit transfer
- A probabilistic approach to determine if a method of exploitation is more likely to lead to vulnerability exploitation or not.
For ransomware, for example, the analysis using the agentic ai threat researcher tells us that a vulnerability with a remote code execution has a higher probability of being exploited than one with Directory traversal. Now this should give us an indication that is reinforced by other factors like exploitation in the wild, the EPSS dataset, exposure of the system where those vulnerabilities are exploited in the wild to the internet, and more. Those values should not be taken alone, but are definitely of significance if you want to discern whether a vulnerability class is more dangerous than another
Another aspect is which threat actor use more a methodology of attack vs other? There is no clear cut in here so we won’t use this for analysis. Rather, derive the CWE and the threat type to derive a more granular determination of which CWE leads to CAPEC, to TTP, and threat actor, as this method is more precise
Agentic AI ASPM: A Threat Centric Approach to Zero DAY
A Data-Driven, Proactive Approach to Zero-Day Exploits
Zero-day vulnerabilities are another key focus of the threat-centric approach in ASPM. These flaws remain hidden until attackers discover and exploit them, often causing significant damage before patches are released. However, with the right threat intelligence, organizations can predict and prepare for zero-day exploits more effectively.
Agentic AI plays a critical role here as well, especially when analyzing vulnerabilities that are prime targets for zero-day exploitation, such as remote code execution and memory corruption. For example, in the MOVEit Transfer breach, the Clop ransomware group exploited a SQL injection vulnerability (CVE-2023-34362) to gain unauthorized access to sensitive data. The rapid exploitation of this vulnerability—before a patch was available—illustrates the importance of maintaining an active and threat-aware security posture.
By applying a threat-centric approach, organizations can better predict which vulnerabilities are likely to be exploited in the wild, allowing for faster patching, mitigation, and response efforts. This proactive stance is critical for preventing large-scale attacks that often lead to data theft and ransomware extortion.
Below an analysis of zero-day data using the agentic ai threat researcher, which tells us that remote code execution over the years and in general has a crushing majority, together with memory corruption
Zero Day Attack Methods and Techniques
Phoenix Security ASPM Threat Centric Analysis
The information in this article is also available in greater detail in the White Paper – A threat-centric approach
on vulnerabilities.
Download the White Paper on LLM Application for a Threat-Centric Approach on Vulnerabilities
The need for a more proactive approach to vulnerability management is clear. The case studies of Citrix ADC and MOVEit Transfer underscore the importance of understanding threat actor behavior and exploitation patterns. These breaches highlight the dangerous combination of high-impact vulnerabilities and motivated, resourceful threat actors. As demonstrated by both cases, vulnerabilities that allow for remote code execution or privilege escalation in internet-facing applications are ripe targets for exploitation.
To effectively protect against these types of threats, organizations must embrace a holistic security strategy that incorporates both vulnerability management and threat-centric analysis. Exposure to the web, reachability analysis, and contextual risk assessments are all essential components of this approach. By integrating these factors into a comprehensive security framework, organizations can ensure they are not just responding to vulnerabilities but actively preventing exploitation.
The Role of ASPM in Strengthening Security Posture
Application Security Posture Management (ASPM) plays a pivotal role in this proactive vulnerability management framework. ASPM tools help organizations continuously monitor and assess the security of their applications, ensuring that vulnerabilities are identified and remediated before they can be exploited. When combined with a threat-centric approach, ASPM offers a powerful means of defending against attacks.
By adopting a threat-centric methodology, organizations can more effectively prioritize vulnerabilities based on their exposure and the likelihood of exploitation. This approach helps reduce the attack surface and ensure that critical vulnerabilities are addressed in a timely manner. Furthermore, ASPM tools can help track and manage vulnerabilities across the application lifecycle, providing the necessary insights to strengthen defenses against evolving threats.
Case Study: Citrix ADC VPN Gateway Code Injection & Buffer Overflow (CVE-2023-3519 & CVE-2023-4966) Agentic ASPM Approach
See live agentic ASPM approach for Citrix ADC
| CVE-2023-3519 VectorVENDOR] NetScaler[PRODUCT] ADC and NetScaler Gateway[VERSION] 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, 13.1-FIPS before 13.1-37.159, 12.1-FIPS before 12.1-55.297, 12.1-NDcPP before 12.1-55.297[WEAKNESS] Reflected Cross-Site Scripting, Privilege Escalation, Unauthenticated remote code execution[ATTACKER] remote attacker[IMPACT] execute arbitrary code, gain root administrator privileges, cross-site scripting[ROOTCAUSE] improper input handling, improper privilege management, code injection[VULNERABILITY TYPE] Cross-Site Scripting, Privilege Escalation, Remote Code Execution[VULNERABILITY IMPACT] execute arbitrary code, gain root administrator privileges, cross-site scripting CVE-2023-4966: vector[VENDOR] NetScaler[PRODUCT] ADC and NetScaler Gateway[COMPONENT] Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server[WEAKNESS] sensitive information disclosure[IMPACT] information disclosure[VULNERABILITY TYPE] information disclosure[VULNERABILITY IMPACT] sensitive information disclosure |
Description: Citrix’s ADC (Application Delivery Controller) is an enterprise VPN and load balancing appliance widely used for remote access. In mid-2023, two critical vulnerabilities hit these devices:
- CVE-2023-3519: A Code Injection vulnerability allowing unauthenticated RCE on the Citrix gateway.
- CVE-2023-4966: A Buffer Overflow (heap overflow) in Citrix Gateway dubbed “Citrix Bleed,” allowing session hijack and potential code execution.
These were essentially door-opening flaws in a perimeter device.
- Vulnerability Characteristics: Both had the Impact of unauthenticated Remote Code Execution. The root causes were Improper Input Handling leading to Code Injection and Memory Corruption (buffer overflow). Both affected an internet-facing, popular appliance used in thousands of organizations (including critical infrastructure).
- Hot to use a scoring method to validate the sentiment of dangerousness: Score would be maxed: RCE (+5), injection or overflow (+3), widely used VPN (+2), network-facing/no auth (+3). That’s 13+. Additionally, Citrix ADC had a notorious history – a similar flaw in 2019 (CVE-2019-19781) was massively exploited by ransomware groups (e.g., RagnarLocker) in 2020. So prior precedent exists (cross-reference factor). Everything about these screamed urgency.
- Exploitation: CVE-2023-3519 was exploited as a zero-day – an attack hit a critical infrastructure org in June 2023 before the patch was released. After patch release in July, within a day PoCs emerged and widespread scanning started. It quickly made the KEV list. CVE-2023-4966 (“Citrix Bleed”) was also exploited in the wild as a zero-day in August 2023. What’s more, by October 2023, it was reported that the LockBit 3.0 ransomware group had leveraged CVE-2023-4966 to breach a major company (Comcast). Attackers chaining these flaws could bypass multi-factor auth and execute code on VPN appliances, then move into the network. These Citrix vulns became one of the top exploited issues of 2023, with governments warning about them. They illustrate the worst-case: an unpatched gateway leading directly to ransomware infiltration.
- Outcome: Organizations that were monitoring for unusual activity might have detected exploitation (e.g., webshells on Citrix devices) if they hadn’t patched immediately. But some were caught off-guard, especially by the zero-day usage. The quick turnaround from patch to widespread exploit release meant that any delay in patching (even a week or two) left a window that LockBit and others exploited. On the positive side, Citrix admins who subscribed to Citrix’s advisories or CISA alerts knew this was critical and many patched within 24-48 hours, likely preventing innumerable incidents.
Lesson: Perimeter devices are high-value targets – treat their vulnerabilities as critical by default. This case also shows the importance of threat intel: hearing that a vulnerability was exploited as a 0-day (even if your org wasn’t hit yet) should trigger immediate action. In our Phoenix security framework, this would elevate the risk and mark it with a high likelihood of exploitation in the wild. Other factors like the exposure, business criticality, and reachability of the system come into play.
Also, it underlines repeating patterns: the Citrix gateway had been targeted before; this was a repeat scenario, so those aware of history might have predicted that any new Citrix RCE would see similar attacks.
Not all of those elements can be evaluated automatically, hence why a threat-centric approach with human supervision is key.
Case Study: MOVEit Transfer SQL Injection (CVE-2023-34362)
See Live mapping for CVE-2023-34362 in the AI agentic analysis
Description: Progress MOVEit Transfer is a managed file transfer solution used by many organizations. In May 2023, CVE-2023-34362, a SQL Injection vulnerability, was discovered in MOVEit. Attackers could send a crafted payload to the MOVEit web interface to execute SQL commands, ultimately leading to arbitrary code execution on the server (via exploitation of the database and writing a webshell).
- Vulnerability Characteristics: Impact = Remote Code Execution (via SQLi); Root cause = *SQL Injection (Improper Neutral Description (continued): The MOVEit flaw was essentially a classic injection in a web application, leading to arbitrary file upload and code execution. It was present as a 0-day (unknown prior to attacks).
- Predictive Indicators: Our framework would label this as Impact = RCE (+5), Root cause = SQL Injection (+3), Widely used file transfer software (+2), remote/unauthenticated (+3). Score ~13. Even though MOVEit isn’t as ubiquitous as Windows, many companies use it to share sensitive files, making it a juicy target. The moment details emerged that this was SQLi-enabling remote code, the risk level was clear.
- Exploitation: In late May 2023, the Clop ransomware group (a data-theft extortion crew) exploited CVE-2023-34362 en masse. They discovered the vulnerability and used automated scripts to compromise hundreds of MOVEit servers around the world before a patch was available – a true zero-day attack. They implanted webshells via the SQLi, stole vast amounts of data from the servers, and later extorted victims under threat of releasing the data. This campaign was one of the largest single-vulnerability exploitation events of 2023. It landed CVE-2023-34362 in CISA’s KEV and the top-exploited lists. The fact that Clop pulled this off underscores how ransomware actors can pivot to pure zero-day exploitation when the opportunity arises (they had done something similar with Accellion FTA in 2020). After disclosure, security researchers released PoC scripts, but by then, the damage was done mainly by Clop.
- Outcome: Organizations had to scramble to patch once Progress released fixes, and many had to perform incident response to see if they were compromised. Those few who might have caught suspicious behavior (like unexpected file downloads or new files on the MOVEit server) could have mitigated or prevented data theft. However, because it was a zero-day, only those highly proactive, like isolating critical file transfer systems from the internet, or applying temporary SQL filters via WAF, had any shot at prevention pre-patch.
Lesson: A web app SQL injection in a high-value system is effectively an open door. Despite being a “web app vulnerability” (sometimes not given the same attention as system vulnerabilities), this one had a direct business impact. It highlights the need for organizations to also monitor threat intel (the FBI and CISA issued alerts quickly) and to have emergency processes for zero-day mitigation. For prediction, it reinforced that input validation bugs in externally-facing applications are prime targets and should be treated with zero-day-level urgency once revealed.
These case studies – PaperCut, Zerologon, Citrix ADC, and MOVEit – each reinforce the same core point: vulnerability characteristics telegraphed the eventual threat. In every case, a combination of high impact (RCE/PrivEsc) and dangerous root cause (injection/auth bypass/memory corruption) was present, and in every case attackers moved swiftly to exploit. In some cases, exploits preceded public disclosure (zero-days), but even there, our framework would have identified the risk if one were evaluating the vulnerability internally (e.g., a code audit finding like Zerologon’s should be fixed ASAP, given its nature).
Conclusion: The Future of Application Security
As threats continue to grow in sophistication and frequency, the traditional methods of vulnerability management are no longer enough. A shift to a more proactive, threat-centric approach is necessary to stay ahead of malicious actors. By leveraging tools like Agentic AI, exposure analysis, and ASPM, organizations can gain a clearer understanding of which vulnerabilities pose the greatest risk and take action before exploitation occurs.
The key takeaway is that vulnerability management must go beyond simply patching known flaws—it must focus on understanding the threat landscape, the motivations of adversaries, and the potential impact of each vulnerability. By doing so, organizations can minimize risk, improve security posture, and prevent the devastating effects of cyberattacks.
For a robust, forward-thinking security strategy, embracing a threat-centric approach in combination with ASPM, vulnerability management, and real-time threat intelligence is not just recommended—it’s essential.
How Phoenix Security Can Help
Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.
Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis and an innovative Threat Centric approach. This innovative approach correlates runtime data with code analysis and leverages the threats that are more likely to lead to zero day attacks and ransomware to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues. Why do people talk about Phoenix
• Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.
• Contextual Deduplication: Utilizing canary token-based traceability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.
• Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerability’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.
By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.
