Attackers exploit 80% of critical vulnerabilities before patches are applied, study finds

April 12, 20262 min read1 sources
Share:
Attackers exploit 80% of critical vulnerabilities before patches are applied, study finds

A sweeping analysis of one billion vulnerability remediation records has revealed a critical gap in organizational defense, with threat actors exploiting the vast majority of critical flaws before patches can be applied. The study, conducted by cybersecurity firm Qualys, found that 80% of the vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog were compromised prior to remediation by defenders.

The research, which spanned 18 months and covered 150 million unique assets, focused specifically on the CISA KEV catalog. This catalog is a definitive list of security flaws that have been confirmed to be under active attack in the wild. Federal agencies are mandated to patch these specific vulnerabilities within strict deadlines, making them a high-priority benchmark for all security teams.

The data highlights the extreme speed at which attackers operate. According to Qualys, approximately 40% of the vulnerabilities added to the KEV list are exploited within just two weeks of their public disclosure. This rapid weaponization of known flaws demonstrates that traditional, human-driven patching cycles are often too slow to prevent initial compromise.

The findings suggest that organizations relying on manual processes are fundamentally outmatched. While security teams struggle with patch fatigue and prioritization, automated attack campaigns can scan for and exploit unpatched systems at a massive scale. The report underscores that the challenge is not a lack of awareness, but a lack of speed and automation in responding to the most imminent threats.

“Human-scale security is failing to keep pace with the speed and scale of cyberattacks,” stated Qualys CEO Sumedh Thakar in a press release accompanying the report. The firm advocates for a shift toward automated, risk-based vulnerability management to close the gap between when a critical vulnerability is disclosed and when it is successfully patched.

Share:

// SOURCES

// RELATED

Meta settles bellwether lawsuit alleging addictive design harmed student mental health

Meta's confidential settlement with a Washington school district marks a pivotal moment in the massive litigation against social media's psychological

6 min readMay 24

Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network

A sophisticated zero-day attack on Huawei routers allegedly caused Luxembourg's 2023 national telecom outage, raising severe global security concerns.

6 min readMay 23

MiniPlasma Windows 0-day enables SYSTEM privilege escalation on fully patched systems

A newly disclosed 0-day flaw, MiniPlasma, allows attackers to gain full SYSTEM control on patched Windows systems, with a public PoC accelerating risk

6 min readMay 18

The ransomware dilemma: why more than half of security chiefs would pay the price

A new survey reveals 56% of CISOs would consider paying a ransom, highlighting the intense pressure to restore operations despite official guidance.

6 min readMay 16