← All insights
Offensive Security

Will Continuous Penetration Testing Lead to More Zero-Days?

Point-in-time penetration testing has long been the mainstay of our industry. For many of our clients, testing is conducted for a period of weeks at a quarterly or semi-annual cadence. One such client had undergone a four-week engagement before transitioning to continuous penetration testing. While their recent engagement identified several vulnerabilities, testing efforts indicated a minimal risk of potential threats. However, through continuous testing, a well-hidden and previously undetected zero-day vulnerability was identified.

On more careful inspection, OSec’s penetration testers discovered two zero-day vulnerabilities (CVE-2023-34037, CVE-2023-34038) residing within a VMware Horizon Server being used by the client. These vulnerabilities not only revealed a vector for HTTP Request Smuggling attacks from external threat actors, but also allowed attackers to ascertain the internal IP address of the VMware instance. While this discovery may not be deemed critical, it underscores the setbacks of time constraints in short assessment windows and benefits of continuous penetration testing.

OSec immediately initiated communications with VMWare Security to ensure responsible disclosure. The timeframe for this collaborative process can vary widely, spanning anywhere from a few days to several months, encompassing the journey from issue reporting to patch development or the creation of a workaround. While coordinating with VMWare Security, OSec remained in constant communication with the client, providing updates on VMware’s progress to ensure they were fully informed until a fix was released.

Automated tools detect vulnerabilities based on predetermined patterns and attack vector signatures. They stumble on vulnerabilities built out of complex logic. Those bugs leave no clear pattern to trace, so it takes a human tester to understand how the affected system is supposed to behave and pinpoint where the logic is abused. Run automation and human analysis together on a continuous basis and you cover more of the attack surface, which surfaces the more impactful vulnerabilities.

The VMware vulnerabilities would have gone unnoticed had continuous penetration testing not been utilized. Incenter and continuous penetration testing supplied an additional layer that allowed a thorough evaluation of the client environment with more time allocated. This addition of time and human expertise along with the underlying automation created an inescapable net for detection of these zero-day vulnerabilities.

A working relationship between automation and human penetration testers is what builds a resilient security posture, whatever the organization.

You can view the VMware Security Advisory at the following link detailing versions of VMware Horizon that were affected: https://www.vmware.com/security/advisories/VMSA-2023-0017.html .

More in Offensive Security
Test Your People, Not Just Your FiltersApr 7, 2026 · 7 minPurple Teams — The Business Benefits of Cost-Effective Purple Penetration TestingFeb 19, 2024 · 5 minLiving off the Land: An Introduction to Blending In for Red TeamsJan 25, 2024 · 4 min
Talk to an expert