The gap between vulnerability disclosure and exploitation is drastically decreasing, putting security teams’ patching practices on notice.
According to Rapid7’s latest Cyber Threat Landscape Report, confirmed exploitation of newly disclosed high- and critical-severity vulnerabilities (CVSS 7-10) increased 105% year to 146 in 2025, up from 71 in 2024.
Moreover, the median time from vulnerability publication to CISA Known Exploited Vulnerabilities (KEV) inclusion dropped from 8.5 days to 5.0 days, with mean time-to-exploit dropping from 61.0 days to 28.5 days. Zero-day exploits have also been hitting enterprises faster and harder, according to a recent report from Google Threat Intelligence Group.
The result is a threat ecosystem that sees twice as many high-impact flaws exploited in half the time — a troubling development for cyber defense.
Cybercrime industrial complex
Industrialization of the cybercrime ecosystem and increased abuse of AI tools to find and exploit vulnerabilities are key drivers of the increased pace of vulnerability exploitation, according to Rapid7 and other industry observers quizzed by CSO.
“Initial access brokers now sell directly to ransomware groups, creating a clear incentive to weaponize new vulnerabilities, harvest credentials, and monetize access,” says Stephen Fewer, senior principal researcher at Rapid7, the firm behind the popular Metasploit penetration-testing tool. “This has accelerated both the pace and sophistication of their operations.”
For attackers, familiarity with the target and the technologies involved can greatly reduce the challenge of developing exploits — a factor that is driving repeated exploitation of many enterprise software targets.
AI adoption is another important factor in the increased pace of vulnerability discovery and exploitation because it facilitates the process of uncovering software bugs.
“It [AI] enables threat actors to close skill gaps and significantly increases operational throughput,” Fewer says. “In practice, AI provides a tactical advantage in analyzing newly disclosed vulnerabilities and generating exploit code at speed.”
N-day exploitation
Rapid7 Labs validated its findings about a more febrile threat environment by producing both n-day and zero-day exploits using AI-assisted research, substantially reducing development time.
In practice, n-day bugs — or the development of exploits against patched software — are a bigger problem than headline-grabbing zero-day vulnerabilities, adds Leeann Nicolo, incident response lead at Coalition, a technology firm that specializes in cyber insurance and cybersecurity tools.
“Our incident response team hasn’t seen a lot of zero-day vulnerabilities exploited lately. Instead, threat actors are hitting known issues that already have patches,” Nicolo says.
Other industry experts confirmed that Rapid7’s findings reflect what they too are seeing on the ground.
“The patch window has effectively collapsed,” says Chris Wysopal, co-founder and chief security evangelist at application security firm Veracode. “That is not a gradual trend; it’s a structural break.”
One driver for the increased pace of exploitation is that every patch now acts like a roadmap for attackers, Wysopal says.
“Once a fix ships, attackers can differentiate the patch, isolate the vulnerable code path, and use automation and AI to generate working exploit paths far faster than enterprises can test and deploy the fix,” says Wysopal. “In other words, disclosure increasingly starts the race, and defenders are already behind when the starting gun fires.”
In addition, AppSec debt widens the exposure window even when a patch exists.
“Enterprises are still carrying too much legacy code, too many internet-facing dependencies, and too many fragile change processes to remediate at machine speed,” Wysopal says. “If the organization needs days or weeks to inventory exposure, assess blast radius, test, get approvals, and deploy, then it is operating on a calendar while attackers are operating on a clock.”
Another big issue is the industrialization of vulnerability exploitation.
AI compresses exploit development and lowers the skill barrier, while the cybercrime market removes friction by creating a well-oiled production line that incorporates researchers, brokers, access sellers, botnet operators, and ransomware affiliates.
“[This] assembly-line model means more vulnerabilities move from disclosure to usable attack paths almost immediately,” according to Wysopal.
Secure-by-design imperative
The real response to these challenges ought to be in reducing the amount of exploitable software reaching production in the first place rather than encouraging CISOs to “patch faster.”
Secure-by-design engineering, aggressive pre-release testing by top-tier bug hunters, architectural mitigations that shrink whole bug classes, and the ability to rebuild or isolate exposed systems quickly are all necessary but perhaps insufficient.
The old assumption that defenders get a grace period after disclosure is no longer credible, according to Wysopal.
“We are watching the collapse of the traditional patch window in real-time,” Wysopal emphasizes. “Secure by design is the only sustainable response, because once disclosure happens, the attacker’s clock is already ticking.”
No Responses