Attackers are moving from disclosure to active exploitation faster than many defenders can patch. According to Rapid7, the median time between a vulnerability becoming public and its addition to CISA’s Known Exploited Vulnerabilities (KEV) catalog has fallen to just five days in 2025, down sharply from prior years.
Infosecurity Magazine, citing Rapid7’s analysis, said the shorter interval points to a compressed time-to-exploit cycle, particularly for internet-facing systems such as firewalls, remote access gateways and VPN appliances. KEV entries are significant because CISA only adds vulnerabilities that have been confirmed as exploited in the wild, making the catalog a widely used prioritization tool for federal agencies and private-sector defenders.
Rapid7 argues that automation and AI-assisted workflows are helping adversaries operationalize newly disclosed flaws more quickly. Public advisories, patch diffs and proof-of-concept code already reduce the effort needed to weaponize a bug; automated scanning and exploit adaptation can shrink that window further. While the data does not prove AI is the sole cause, it supports a broader pattern security teams have been tracking for several years: high-value flaws in edge devices and enterprise software are often targeted within days of disclosure.
The impact for defenders is straightforward. Organizations that still rely on weekly or monthly patch cycles may be exposed during the period when exploitation is most likely. KEV remains useful for prioritization, but it is also reactive by design; by the time a CVE appears there, attackers may already be active. That puts more pressure on security teams to triage internet-facing vulnerabilities immediately, use compensating controls when patches are not yet available, and treat critical edge-device flaws as emergency issues rather than routine maintenance.
The finding also reinforces a policy trend already visible in federal guidance. CISA’s KEV catalog underpins remediation deadlines for civilian agencies, and the shrinking gap between disclosure and confirmed exploitation suggests similar urgency is becoming necessary across the private sector as well.
