This week there was a zero day discovered in Apache HTTP Server 2.4.49. This vulnerability can allow attackers to map URLs to files outside of the expected document root on the server. However, it has subsequently been discovered that the zero-day flaw is worse than originally thought due to a new proof of concept that demonstrates the vulnerability can lead to remote code execution. This vulnerability only affects the 2.4.49 version of Apache but it is extremely severe in nature and something that you would want to patch immediately if one of your servers was running this.
https://thehackernews.com/2021/10/apache-warns-of-zero-day-exploit-in.html
Patching is a never ending process. A good patch management strategy is the keystone to any cyber security program. I am curious what the group thinks about whether patching or security awareness training is more important. When resources are constrained, where would you invest?