How Virtual Patching Helps Protect Hypervisors Against Exploits

Forbes

08-08-2025

Austin Gadient is CTO & cofounder of Vali Cyber. Vali's product ZeroLock protects hypervisors and Linux systems from cyber attacks.
As cybersecurity leaders work to stay ahead of evolving threats, one challenge continues to expose a gap in enterprise risk posture: the delayed adoption of patches for known hypervisor vulnerabilities.
Take VMware ESXi, for example. Despite the availability of patches for high-impact vulnerabilities (CVE-2025-22224, 22225 and 22226), a significant number of systems remain unpatched months later. These flaws allow attackers to escalate from virtual machines to the hypervisor, placing entire workloads, data sets and business services at risk.
The situation is not uncommon. As organizations scale virtual environments and consolidate workloads, their ability to patch quickly and consistently has not kept pace. Patching schedules often conflict with uptime requirements. Risk acceptance around infrastructure-level threats remains high. And many endpoint security tools do not monitor hypervisors directly, leaving blind spots at one of the most critical layers in modern IT environments.
In this context, virtual patching has emerged as a strategic safeguard that offers real-time protection when immediate patching isn't possible.
The Hidden Cost Of Delayed Patching
Patching hypervisors isn't just a technical task, but it's a business risk decision. These systems run critical workloads and taking them offline—even briefly—can impact everything from customer-facing applications to internal operations.
In many environments, patching is delayed not out of negligence, but out of necessity:
• Downtime Risk: Taking a hypervisor offline can disrupt dozens, or hundreds, of virtual machines.
• Operational Fragility: If a patch introduces instability or fails, recovery is complex and time-consuming and introduces a window for exploitation.
Attackers target unpatched virtualization layers because they offer high impact with low visibility. The result is a widening gap between known vulnerabilities and the ability to remediate them safely—one that has real implications for compliance, continuity and executive accountability.
A Widening Threat Landscape
In virtualized environments, the cost of delayed patching is amplified. A single vulnerability at the hypervisor level can compromise every virtual machine it supports—introducing the potential for lateral movement, data exfiltration and operational shutdown.
Recent industry research underscores the scale of the challenge:
• There was a 180% increase in vulnerability exploitation as an initial attack vector between 2022 and 2023.
• 60% of organizations experienced a virtualization security incident last year, and 75% admit they have more VMs than they can effectively secure, opening the door for attackers to laterally move onto the hypervisor.
• 85% of organizations don't follow a regular patching schedule; 47% cite downtime as the main blocker.
These figures reveal a growing misalignment between threat velocity and organizational capacity to patch in time. Virtual patching helps close this gap—protecting systems during the high-risk window between disclosure and deployment.
Virtual Patching: A Practical And Strategic Solution
Virtual patching allows organizations to mitigate risk at runtime—without applying code-level changes or taking systems offline. Key use cases include:
• Zero-Day Defense: Protecting systems before vendor patches are released.
• Legacy Support: Securing environments that are no longer actively maintained.
• Operational Continuity: Maintaining uptime in regulated or 24/7 environments.
These capabilities are enabled through behavior-based detection and exploit prevention techniques that intercept attack behavior, even when the vulnerability itself remains.
Why Virtual Patching Matters To Security And Risk Leaders
For CISOs, CIOs and risk committees, virtual patching isn't just about technical coverage—it's about improving control maturity, audit readiness and business resilience.
Key benefits include:
• Real-time protection for known and unknown threats—even before patching.
• Support for compliance mandates (HIPAA, NIST, ISO) that expect timely risk mitigation.
• Evidence of due diligence, particularly when traditional patching timelines can't be met.
• Minimal business disruption, with deployment that doesn't require system downtime.
This strategy doesn't replace conventional patching—it complements it. For many enterprises, it offers a critical middle path between leaving systems exposed and taking workloads offline.
Getting Started With Virtual Patching
As organizations continue to virtualize, the hypervisor becomes a more attractive and impactful target. Protecting this layer is not just a technical necessity but also a business priority.
Virtual patching provides a way to safeguard operations, maintain compliance and respond to threats with speed. It reflects a broader shift toward layered, adaptive defense—especially critical in environments where timing can be the difference between resilience and breach.
Implementing virtual patching successfully starts with understanding what it takes operationally. Here are some important steps to effectively introduce virtual patching:
• Baseline your environment. Organizations need to know what workloads are running, where their hypervisors are located and what's exposed. Many environments may still lack a consolidated asset inventory or live risk map of their virtual infrastructure, making it hard to prioritize protection.
• Assign ownership. Virtual patching touches security, infrastructure and sometimes application teams. Without clear cross-functional accountability, policies may be inconsistently applied or ignored altogether. Even when a third-party vendor is involved, internal teams still need to define coverage, manage rule updates and ensure the solution stays aligned with changing risks.
• Tune your rules. Virtual patching often works by intercepting exploit behavior at runtime, but the rules need to be tailored. That means understanding typical behaviors versus malicious ones, especially in complex or high-availability environments. A misconfigured rule can cause disruptions or false positives that erode trust in the process.
• Integrate with existing workflows. Virtual patching is most effective when its alerts are fed into the existing security stack (like SIEMs, SOAR platforms and incident response workflows), so exploit attempts can be correlated with other events, prioritized correctly and acted on in real time.
• Require service level agreements (SLAs) from virtual patching providers. Virtual patching is only useful if a virtual patch that addresses a specific CVE can be provided shortly after the vulnerability is disclosed. It is reasonable to demand that providers live up to a timeline that correlates with issue severity.
Ultimately, virtual patching is a control that requires alignment across people, processes and technology. But for organizations with large-scale virtual infrastructure, it's also a necessary evolution that bridges the gap between ideal patching timelines and real-world constraints.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?