M0951: Update Software
Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.
Analyst context for executives and security teams
Update Software is a foundational ICS mitigation: keeping software and firmware current reduces the chance that known weaknesses become an entry point, escalation path, evasion method, or supply-chain exposure. Its business significance is that patching in industrial environments is not only a technical task; it must be balanced with operational downtime, change control, and safety-sensitive continuity requirements.
Executive priority
Leaders should treat this as a resilience and governance control, not just an IT hygiene item. The key decision is whether the organization has a risk-based process to identify exposed, remote, transient, public-facing, and firmware-bearing assets; prioritize updates; schedule them around operational downtime; and retain evidence for IEC 62443-4-2 CR 3.10 and NIST SP 800-53 SI-2-aligned expectations.
Technical view
For SOC, IR, and engineering teams, validate that update status is known for assets relevant to the mitigated techniques: drive-by compromise, public-facing application exploitation, exploitation for evasion, supply chain compromise, transient cyber assets, exploitation of remote services, privilege escalation, and system firmware abuse. Because ATT&CK provides no detection text and no platforms for this mitigation, coverage should be assessed through asset and vulnerability management evidence rather than assumed from alerts.
Likely telemetry
- Asset inventory with software and firmware versions
- Patch and update management records
- Vulnerability assessment results for internet-facing applications and remote services
- Maintenance-window and change-control records
- Firmware update history where supported
Detection direction
- Confirm the SOC can identify systems running outdated software or firmware, especially assets exposed for remote management or public-facing access.
- Tune vulnerability and exposure reporting to distinguish ICS assets that require scheduled downtime from assets that can be updated routinely.
- Correlate exploitation alerts with patch status during investigations to determine whether an available update could have reduced risk.
- Validate visibility for transient assets, since devices moving between external and ICS networks can create patch-status blind spots.
- Avoid claiming detection coverage from this mitigation alone; ATT&CK does not provide detection guidance for M0951.
Mitigation priorities
- Maintain an authoritative inventory of ICS software, services, and firmware versions.
- Prioritize updates for internet-facing applications, remote services, security-relevant components, and assets that could support privilege escalation or evasion if vulnerable.
- Schedule and document updates around operational downtime and change-control requirements.
- Include transient assets and supplier-delivered software or update mechanisms in the update governance process.
- Retain update evidence for audit, compliance, and incident decision-making.
Analyst notes and limits
The relationship context makes this mitigation material across initial access, evasion, lateral/remote service abuse, privilege escalation, supply chain, transient asset, and firmware-related risk in ICS environments. The practical question for defenders is not whether updates are generally good, but whether update status is known, prioritized, safely deployable, and provable for the assets that matter most to operations.
ATT&CK does not specify platforms, tactics, or detection guidance for this mitigation. The supplied relationship descriptions identify the techniques mitigated but do not prove local exposure, exploitation, or detection coverage. Local asset inventory, vulnerability data, maintenance constraints, and engineering validation are required to determine priority and feasibility.
Update Software
Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0862 | Supply Chain Compromise | A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
| ICS | T0817 | Drive-by Compromise | Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled. |
| ICS | T0819 | Exploit Public-Facing Application | Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure. |
| ICS | T0890 | Exploitation for Privilege Escalation | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| ICS | T0820 | Exploitation for Evasion | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| ICS | T0864 | Transient Cyber Asset | Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities. |
| ICS | T0866 | Exploitation of Remote Services | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| ICS | T1693.001 | System Firmware Sub-technique | Patch the BIOS and EFI as necessary. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cce02a26f3fc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M0951Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.