Managed Services

Third-Party App Patching: The Security Gap You're Missing

11 February 2026 · 0x1m3 · 5 min read

Your Windows updates are current. Your firewall is configured. Your antivirus is running. You still have a massive security gap — and attackers know exactly where it is.

Third-party applications. The software your team uses every single day.

The Problem: You Patch the OS, Not the Apps

Most IT teams have Windows patching under control. Microsoft makes it relatively straightforward with Windows Update, WSUS, or group policy. Monthly patches roll out, endpoints reboot, and the cycle continues.

But what about everything else installed on those endpoints?

Google Chrome. Adobe Reader. Java. Zoom. Slack. 7-Zip. VLC. Firefox. WinRAR. These applications sit on every workstation in your organisation. They connect to the internet. They process files from external sources. And in most businesses, nobody is patching them.

This is not a minor oversight. It is the primary way attackers compromise South African businesses today.

Why Attackers Target Third-Party Apps

The logic is simple. Attackers look for the path of least resistance.

Operating system vulnerabilities get patched quickly because every IT team prioritises them. But third-party applications? They sit unpatched for weeks, months, or indefinitely. Attackers exploit this predictable gap.

Consider the numbers:

- 75% of attacks exploit vulnerabilities in third-party applications, not operating systems - The average time to patch a third-party app in most organisations exceeds 60 days - A single unpatched browser can give an attacker full endpoint access in under 30 seconds

Every unpatched application is an open door. And most businesses have dozens of them across every endpoint.

The Most Commonly Exploited Unpatched Apps

These are the applications attackers target first — because they know businesses neglect them:

1. Google Chrome / Chromium browsers — Updated frequently by Google, but only if the user restarts their browser. Most do not. 2. Adobe Acrobat Reader — PDF exploits remain one of the most common initial attack vectors. 3. Java Runtime Environment (JRE) — Legacy applications keep Java installed; attackers keep exploiting it. 4. Zoom — Rapid release cycles mean patches stack up quickly when unmanaged. 5. Mozilla Firefox — Same restart problem as Chrome, compounded by less centralised management. 6. 7-Zip / WinRAR — Archive utilities with known remote code execution vulnerabilities. 7. VLC Media Player — Frequently installed, rarely updated, with a history of critical vulnerabilities. 8. Slack — Desktop client vulnerabilities can expose corporate communications. 9. Microsoft Teams (standalone) — The non-Store version requires separate patching from Windows Update. 10. Adobe Creative Suite — Photoshop, Illustrator, and InDesign vulnerabilities affect creative teams.

If any of these are installed across your endpoints without automated patching, you have active exposure right now.

Why Manual Patching Fails

Some IT teams attempt manual third-party patching. They download installers, push them via scripts, or rely on users to update their own applications. This approach fails for three reasons:

Scale. A typical organisation has 20-40 third-party applications per endpoint. Multiply that by your endpoint count. Manual patching at scale is not sustainable.

Speed. When a critical vulnerability drops for Chrome or Adobe, the exploit is often active within hours. Manual processes cannot respond fast enough.

Visibility. You cannot patch what you cannot see. Most IT teams do not have a complete inventory of every third-party application installed across their environment.

The Fix: Automated Third-Party Patching with N-able

N-able N-central patches over 100 third-party applications automatically. No manual downloads. No scripted deployments. No reliance on end users.

Here is how it works:

Discovery. N-able scans every managed endpoint and identifies every installed application — including versions, patch status, and known vulnerabilities.

Automation. When a patch is available, N-able downloads, tests, and deploys it according to your policy. Critical patches can deploy immediately. Others can follow your change management window.

Verification. Post-deployment checks confirm patches applied successfully. Failed patches get flagged and retried automatically.

Reporting. Dashboards show your patch compliance rate across every application, every endpoint, and every site — in real time.

This is not a bolt-on feature. Third-party patching is built into N-able's Remote Monitoring and Management (RMM) platform alongside its 700+ automation recipes, giving your IT team a single console for endpoint management.

What Happens When You Close This Gap

Organisations that implement automated third-party patching see immediate results:

- Attack surface reduction — Fewer exploitable vulnerabilities across every endpoint - Compliance improvement — POPIA and industry frameworks require timely patching - Incident reduction — Fewer malware infections, fewer helpdesk tickets, fewer late nights - Audit readiness — Patch compliance reports generated on demand

The return on investment is not abstract. Every patched vulnerability is one less way an attacker can reach your data.

Stop Leaving the Door Open

Unpatched third-party apps are the number one way attackers get in. OAS patches 100+ of them automatically through N-able — so your IT team can stop chasing installers and start focusing on what matters.

Close the Gap →

Related solution

Read more →

Want to Discuss This Further?

OAS's specialists are available to talk through how this applies to your organisation.

Request a Demo Explore Solutions