Attackers are exploiting more vulnerabilities before defenders even know they exist. VulnCheck found that 28.96% of vulnerabilities observed as exploited in 2025 were attacked before public disclosure, up from 23.6% in 2024, according to a report cited by Infosecurity Magazine.
The increase points to a larger share of exploitation happening in the pre-disclosure window, often described as zero-day activity. While the summary did not name specific CVEs or victim organizations, the trend suggests attackers are finding or acquiring usable exploits earlier, and using them before vendors can issue public advisories or patches.
That matters because many of the most damaging campaigns in recent years have targeted internet-facing systems such as firewalls, gateways, and VPN appliances. When exploitation starts before disclosure, defenders lose the normal warning period between a public CVE and active attacks. Security teams may only realize they are exposed after compromise indicators emerge or emergency guidance is published.
The finding also fits a broader pattern documented by government and industry researchers. CISA’s Known Exploited Vulnerabilities catalog continues to grow, reflecting how often attackers weaponize flaws that offer reliable access. Google-owned Mandiant has also warned that time-to-exploit is shrinking, with some campaigns beginning before disclosure and many others following almost immediately after public details appear.
For defenders, the takeaway is straightforward: patching remains necessary, but it is no longer enough to treat disclosure day as the start of the risk window. Organizations with large external attack surfaces, especially those running edge devices or hard-to-update appliances, may need to prioritize asset inventory, exposure reduction, segmentation, and monitoring for suspicious behavior even before vendor alerts are available.
One caveat: the Infosecurity report summarizes VulnCheck’s research, but does not include the full methodology, dataset scope, or whether the 2025 figure is year-to-date. Those details will matter in judging how broadly the trend applies. Even so, the direction is clear: more attackers are operating inside the disclosure gap, and defenders are being forced to respond after exploitation has already started.
