When vendors let us down

Some recent examples

The recent headlines around Citrix Bleed 2 (CVE-2025-5777) and the Fortinet FortiWeb Fabric Connector vulnerability (CVE-2025-25257) are stark reminders. These aren’t obscure bugs buried in niche systems; they’re catastrophic flaws in the very devices meant to secure our networks.

Take Citrix Bleed 2. This is an out-of-bounds memory read vulnerability in Citrix NetScaler ADC and Gateway. In plain terms, it means an unauthenticated attacker can harvest session tokens directly from memory, hijacking active user sessions. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) confirmed active exploitation and gave federal agencies just one day to patch — highlighting how urgent the risk is. Security researchers published proofs-of-concept on 7 July 2025 showing exactly how attackers could steal tokens. By that point, Citrix hadn’t even updated its own advisory to reflect in-the-wild exploitation. That gap between vendor messaging and attacker activity is exactly why exploitable vulnerabilities remain present in environments for too long.

Or consider Fortinet’s FortiWeb Fabric Connector flaw. This is a classic pre-authentication SQL injection (CVE-2025-25257) — except it hits a web application firewall (WAF), the very tool supposed to defend your apps. An attacker can exploit unsanitised input to execute arbitrary SQL, leading to remote code execution as root, without needing valid credentials. WatchTowr Labs demonstrated writing a Python .pth file into cgi-bin to achieve RCE. In plain terms, this means that an attacker can run any command that they want on an impacted WAF.  No binary required. It’s a textbook example of how a simple web input flaw in a privileged process can unravel an entire security stack.

And how do Managed Services fill the gap?

A mature managed security service acts as a strategic defence layer against this very problem. It’s not about simply reselling products; it’s about integrating intelligence, enforcing operational discipline, and having the resources to act with speed. This approach is built on several core principles.

1. Deeper intelligence partnerships for early warning

At Reliance Cyber, we’ve been securing clients since 2003 by staying ahead of these issues. We’re a Google SecOps Partner and integrate Google Threat Intelligence (GTI) directly into our managed services. Mandiant’s global investigations feed us early indicators of compromise, emerging TTPs, and threat actor priorities — often before vulnerabilities hit mass media or CISA advisories. That means we can notify clients, apply compensating controls, and hunt for related activity proactively.

2. Secure configurations and zero-trust by default

Many “critical” CVEs become devastating because of lax configurations. The FortiWeb SQL flaw is bad — but why would you ever expose that management interface to the internet? Why would you not secure it behind tight access control policies? Our managed services start with robust, secure-by-design deployments:

• Management interfaces restricted by IP and authentication.
• Admin identities isolated, with just-in-time access.
• On-premises and cloud environments segmented to stop lateral movement.

So even if a product has a vulnerability, exploiting it is far harder because the attacker can’t reach it in the first place.

It’s basic hygiene — yet still too often neglected.

3. Aggressive patching SLAs and rapid mitigation

When CISA gave agencies 24 hours to patch Citrix Bleed 2, it wasn’t exaggeration. Over the weekend, leading research companies noted that a “significant portion” (around 2,100) of all NetScaler deployments remained unpatched despite active exploitation.

Managed services work differently: patching isn’t left to internal backlog. It’s governed by strict SLAs. If a zero-day emerges, we mobilise immediately, apply vendor fixes or interim firewall blocks, disconnect suspect sessions, and hunt for indicators — closing the window of opportunity before attackers can seize it.

4. Proactive Managed Services to stay ahead

It’s not just about reacting faster. Our managed portfolio is designed to reduce exposure and detect attacker activity early:

External Attack Surface Management (EASM), using platforms like GTI, shows us what adversaries see — so we can fix exposures before they become entry points.
The Mandiant M-Trends report repeatedly links breaches to assets, like data stores or interfaces, that were exposed in ways that misaligned with their security classification.

Managed SASE (via Cato Networks) hardens your access architecture, cuts back exposed surfaces, and enforces secure traffic flows.

Managed Detection and Response, built on Google Threat Intelligence and Google SecOps actively hunts for signs of exploitation and lateral movement whenever new CVEs are released.  We automate much of this, resulting in rapid advisories and incident management.