{"id":5142,"date":"2025-10-01T07:00:00","date_gmt":"2025-10-01T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5142"},"modified":"2025-10-01T07:00:00","modified_gmt":"2025-10-01T07:00:00","slug":"cisos-advised-to-rethink-vulnerability-management-as-exploits-sharply-rise","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5142","title":{"rendered":"CISOs advised to rethink vulnerability management as exploits sharply rise"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Enterprise attack surfaces continue to expand rapidly, with more than 20,000 new vulnerabilities disclosed in the first half of 2025, straining already hard-pressed security teams.<\/p>\n

Nearly 35% (6,992) of these vulnerabilities have publicly available exploit code, according to the Global Threat Intelligence Index study<\/a> by threat intel firm Flashpoint.<\/p>\n

The volume of disclosed vulnerabilities has more than tripled while the amount of exploit code has more than doubled since the end of February 2025 alone.<\/p>\n

These increases make it no longer feasible for most organizations to triage, remediate, or mitigate every vulnerability, Flashpoint argues, suggesting enterprises need to apply a risk-based patching framework. But some experts quizzed by CSO went further \u2014 arguing a complete operational overhaul of vulnerability management<\/a> practices is needed.<\/p>\n

Risk-based patching: A rising necessity<\/h2>\n

Josh Lefkowitz<\/a>, CEO of Flashpoint, says that surges in disclosed vulnerabilities and publicly available exploit code reflect a shift in the threat landscape.<\/p>\n

\u201cAttackers are operationalizing exploits as soon as vulnerabilities surface, often within hours, and well before defenders can access reliable data from public sources,\u201d Lefkowitz tells CSO.<\/p>\n

The widening gap between exposure and response makes it impractical for security teams to rely on traditional approaches. The countermeasure is not \u201cpatch everything faster,\u201d but \u201cpatch smarter\u201d by taking advantage of security intelligence, according to Lefkowitz.<\/p>\n

Enterprises should evolve beyond reactive patch cycles and embrace risk-based, intelligence-led vulnerability remediation. \u201cThat means prioritizing vulnerabilities that are remotely exploitable, actively exploited in the wild, or tied to active adversary campaigns while factoring in business context and likely attacker behaviors,\u201d Lefkowitz says.<\/p>\n

Focus on exploitable vulnerabilities<\/h2>\n

Third-party security experts agree that enterprises need to apply a risk-based patching framework.<\/p>\n

\u201cOrganizations that try to patch everything are fighting an impossible battle,\u201d says IEEE senior member Shaila Rana<\/a>. \u201cBut the silver lining here is that this shift is actually forcing smarter and more strategic approaches to emerge.\u201d<\/p>\n

Rana adds: \u201cThis pressure is creating better risk-based frameworks that help teams focus their limited resources on prioritized areas, or what matters most.\u201d<\/p>\n

H\u00fcseyin Can Y\u00fcceel<\/a>, security research lead at security validation company Picus Security, says that although the growing volume of vulnerabilities disclosed may be daunting, only some will affect any particular enterprise.<\/p>\n

\u201cYou may not even own the product with a vulnerability or already have some security mitigations in place to prevent exploitation,\u201d Y\u00fcceel explains. \u201cThe most important thing is deciding what\u2019s relevant and important to you, which is why prioritization based on context is important.\u201d<\/p>\n

Y\u00fcceel adds: \u201cA risk-based approach helps organizations focus on the threats that will most likely affect their infrastructure and operations. This means organizations should prioritize vulnerabilities that can be considered exploitable, while de-prioritizing vulnerabilities that can be effectively mitigated or defended against, even if their CVSS [Common Vulnerability Scoring System] score is rated critical.\u201d<\/p>\n

Relying on CVEs alone is becoming \u2018untenable\u2019<\/h2>\n

Security teams relying heavily on public sources of vulnerability intelligence, such as the Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD), are at a severe disadvantage, Flashpoint warns. The average latency between CVE publication and NVD enrichment now spans into weeks and months \u2014 creating critical intelligence gaps<\/a>.<\/p>\n

The instability in the CVE program fundin<\/a>g earlier this year creates additional doubts.<\/p>\n

\u201cRelying solely on CVE or the National Vulnerability Database has become untenable,\u201d Flashpoint\u2019s Lefkowitz says. \u201cThe delays, inconsistencies, and persistent backlog mean that critical intelligence often arrives after attackers are already active, leaving defenders blind to high-risk exposures.\u201d<\/p>\n

Tyler Reguly<\/a>, senior manager of security R&D at offensive and defensive security firm Fortra, dismissed concerns that relying on public sources of vulnerability intelligence puts organizations at a \u201csevere disadvantage\u201d as overblown. Vendor reports, exploit databases, and the CISA Known Exploited Vulnerabilities (KEV) list all offer valuable sources of intelligence, Reguly says.<\/p>\n

\u201cThe reality is that public sources of intelligence are critical to managing your vulnerabilities,\u201d Reguly argues. \u201cThat\u2019s not to say that proprietary data isn\u2019t beneficial, but there\u2019s a lot of data out there available for anyone to gather.\u201d<\/p>\n

Rana argues that public vulnerability intelligence works best when combined with contextual threat intelligence and business risk assessments.<\/p>\n

\u201cSmart organizations are layering CVE data with real-time threat intelligence to create more nuanced and actionable security strategies,\u201d Rana says. Instead of abandoning these trusted sources, effective teams are getting better at using them as part of a broader intelligence picture that helps them stay ahead of the threats that actually matter to their specific environment.<\/p>\n

Third-party risk \u2014 yet again<\/h2>\n

Galit Lubetzky Sharon<\/a>, CEO at application attack surface protection firm Wing Security, says that the surge in vulnerabilities and exploit code is only part of the problem.<\/p>\n

\u201cEnterprises increasingly depend on third-party SaaS vendors that dictate the patching cycle \u2014when those vendors patch slowly or fail to disclose, customers inherit the risk blindly,\u201d Sharon says.<\/p>\n

AI is amplifying this threat: Attackers weaponize exploits at unprecedented speed<\/a>, while \u201cSaaS vendors race to release AI features often without mature security controls,\u201d according to Sharon.<\/p>\n

\u201cThe real challenge isn\u2019t just keeping pace with patches but gaining visibility into third-party risk \u2014 making continuous SaaS, AI, and general third-party security essential,\u201d Sharon concluded.<\/p>\n

AI simplifying exploit development<\/h2>\n

Rami Sass<\/a>, CEO at application security firm Mend, says the time between vulnerability discovery and exploitation has shrunk from weeks to days if not hours over the past two years, partly because of the increased abuse of AI technologies by attackers<\/a>.<\/p>\n

There are three main drivers behind increasingly turbulent threat landscape, according to Sass:<\/p>\n

Better tools to discover vulnerabilities, especially in legacy code<\/p>\n

A hungry and growing commercial market for exploits<\/p>\n

AI tools are making the production of exploits easier<\/p>\n

\u201cAttackers are now using AI to move faster than defenders,\u201d says Federico Simonetti<\/a>, CTO at zero knowledge networking firm Xiid. \u201cAI is highly effective at finding vulnerabilities and crafting exploits, while at the same time, it\u2019s horribly ineffective at applying any significant level of protection.\u201d<\/p>\n

Exposure management<\/h2>\n

Peled Eldan<\/a>, head of research at cloud security firm XM Cyber, believes the surge of vulnerabilities and exploits is a \u201cbyproduct of sprawling cloud estates, rapid migrations, deployment mishaps, misconfigurations, and more.\u201d<\/p>\n

\u201cWhile the NVD is still a foundational pillar of cybersecurity, SOC teams need far more than CVE IDs and CVSS scores to meaningfully reduce risk,\u201d Eldan says. \u201cEven if NVD enrichment speeds up, it won\u2019t fix the bigger problem: understanding how vulnerabilities connect with other exposures to create exploitable attack paths.\u201d<\/p>\n

This dynamic is fueling vulnerability management\u2019s evolution into exposure management, which treats identity issues and misconfigurations as seriously as code flaws.<\/p>\n

\u201cWhen paired with attack surface tools such as breach simulations, pen tests, and red teaming, companies can build attack graphs that visualize how an adversary could reach crown-jewel assets,\u201d Eldan explains. \u201cAttack graphs are often used in conjunction with digital twins to simulate and validate that a given remediation strategy eliminates the exposure.\u201d<\/p>\n

Navigating a minefield with a pogo stick<\/h2>\n

Ivan Milenkovic<\/a>, vice president of risk technology for EMEA at cloud security vendor Qualys, says the idea that any organization could, or should, attempt to patch every vulnerability was \u201calways a fallacy.\u201d<\/p>\n

\u201cThe explosion in disclosures and the glaring unreliability of public feeds like the NVD haven\u2019t created a new problem; they\u2019ve simply exposed the intellectual bankruptcy of the traditional approach,\u201d Milenkovic tells CSO. \u201cRelying on CVSS scores and chasing CVEs is like trying to navigate a minefield with a pogo stick.\u201d<\/p>\n

Rather than relying on a risk-based patching framework, enterprises need a complete operational overhaul based on a continuous threat exposure management (CTEM)<\/a> program, Milenkovic advises.<\/p>\n

Frameworks like Gartner\u2019s CTEM<\/a> provide security operations center teams with a road map on how to mature their processes to prioritize exposures based on exploitability and business impact \u2014 not just raw severity scores.<\/p>\n

\u201cThe fundamental question isn\u2019t, \u2018Is this vulnerability severe?\u2019 But rather, \u2018What is the value at risk to the business, and what is the most capital-efficient way to reduce it?\u2019\u201d Milenkovic, a former CISO, explains.<\/p>\n

The objective of what Ivan Milenkovic describes a \u201crisk operations center\u201d approach based on the CTEM concept is to align security with genuine business outcomes.<\/p>\n

\u201cYour goal is to use a money-minded framework to surgically remediate the 2% of vulnerabilities that pose over 90% of the actual, material risk to your organization,\u201d Milenkovic says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Enterprise attack surfaces continue to expand rapidly, with more than 20,000 new vulnerabilities disclosed in the first half of 2025, straining already hard-pressed security teams. Nearly 35% (6,992) of these vulnerabilities have publicly available exploit code, according to the Global Threat Intelligence Index study by threat intel firm Flashpoint. The volume of disclosed vulnerabilities has […]<\/p>\n","protected":false},"author":0,"featured_media":5143,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5142","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5142"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5142"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5142\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5143"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}