{"id":7758,"date":"2026-04-09T09:01:00","date_gmt":"2026-04-09T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7758"},"modified":"2026-04-09T09:01:00","modified_gmt":"2026-04-09T09:01:00","slug":"patch-windows-collapse-as-time-to-exploit-accelerates","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7758","title":{"rendered":"Patch windows collapse as time-to-exploit accelerates"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The gap between vulnerability disclosure and exploitation is drastically decreasing, putting security teams\u2019 patching practices on notice.<\/p>\n

According to Rapid7\u2019s latest Cyber Threat Landscape Report<\/a>, confirmed exploitation of newly disclosed high- and critical-severity vulnerabilities (CVSS 7-10) increased 105% year to 146 in 2025, up from 71 in 2024.<\/p>\n

Moreover, the median time from vulnerability publication to CISA Known Exploited Vulnerabilities (KEV) inclusion dropped from 8.5 days to 5.0 days, with mean time-to-exploit dropping from 61.0 days to 28.5 days. Zero-day exploits have also been hitting enterprises faster and harder<\/a>, according to a recent report from Google Threat Intelligence Group.<\/p>\n

The result is a threat ecosystem that sees twice as many high-impact flaws exploited in half the time \u2014 a troubling development for cyber defense.<\/p>\n

Cybercrime industrial complex<\/h2>\n

Industrialization of the cybercrime ecosystem and increased abuse of AI tools to find and exploit vulnerabilities are key drivers of the increased pace of vulnerability exploitation, according to Rapid7 and other industry observers quizzed by CSO.<\/p>\n

\u201cInitial access brokers now sell directly to ransomware groups, creating a clear incentive to weaponize new vulnerabilities, harvest credentials, and monetize access,\u201d says Stephen Fewer<\/a>, senior principal researcher at Rapid7, the firm behind the popular Metasploit penetration-testing tool. \u201cThis has accelerated both the pace and sophistication of their operations.\u201d<\/p>\n

For attackers, familiarity with the target and the technologies involved can greatly reduce the challenge of developing exploits \u2014 a factor that is driving repeated exploitation of many enterprise software targets.<\/p>\n

AI adoption is another important factor in the increased pace of vulnerability discovery and exploitation because it facilitates the process of uncovering software bugs<\/a>.<\/p>\n

\u201cIt [AI] enables threat actors to close skill gaps and significantly increases operational throughput,\u201d Fewer says. \u201cIn practice, AI provides a tactical advantage in analyzing newly disclosed vulnerabilities and generating exploit code at speed.\u201d<\/p>\n

N-day exploitation<\/h2>\n

Rapid7 Labs validated its findings about a more febrile threat environment by producing both n-day and zero-day exploits using AI-assisted research, substantially reducing development time.<\/p>\n

In practice, n-day bugs \u2014 or the development of exploits against patched software \u2014 are a bigger problem than headline-grabbing zero-day vulnerabilities, adds Leeann Nicolo, incident response lead at\u00a0Coalition, a technology firm that specializes in cyber insurance and cybersecurity tools.<\/p>\n

\u201cOur incident response team hasn\u2019t seen a lot of zero-day vulnerabilities exploited lately. Instead, threat actors are hitting known issues that already have patches,\u201d Nicolo says.<\/p>\n

Other industry experts confirmed that Rapid7\u2019s findings reflect what they too are seeing on the ground.<\/p>\n

\u201cThe patch window has effectively collapsed,\u201d says Chris Wysopal<\/a>, co-founder and chief security evangelist at application security firm Veracode. \u201cThat is not a gradual trend; it\u2019s a structural break.\u201d<\/p>\n

One driver for the increased pace of exploitation is that every patch now acts like a roadmap for attackers, Wysopal says.<\/p>\n

\u201cOnce a fix ships, attackers can differentiate the patch, isolate the vulnerable code path, and use automation and AI to generate working exploit paths far faster than enterprises can test and deploy the fix,\u201d says Wysopal. \u201cIn other words, disclosure increasingly starts the race, and defenders are already behind when the starting gun fires.\u201d<\/p>\n

In addition, AppSec debt<\/a> widens the exposure window even when a patch exists.<\/p>\n

\u201cEnterprises are still carrying too much legacy code, too many internet-facing dependencies, and too many fragile change processes to remediate at machine speed,\u201d Wysopal says. \u201cIf the organization needs days or weeks to inventory exposure, assess blast radius, test, get approvals, and deploy, then it is operating on a calendar while attackers are operating on a clock.\u201d<\/p>\n

Another big issue is the industrialization of vulnerability exploitation.<\/p>\n

AI compresses exploit development and lowers the skill barrier, while the cybercrime market removes friction by creating a well-oiled production line that incorporates researchers, brokers, access sellers, botnet operators, and ransomware affiliates.<\/p>\n

\u201c[This] assembly-line model means more vulnerabilities move from disclosure to usable attack paths almost immediately,\u201d according to Wysopal.<\/p>\n

Secure-by-design imperative<\/h2>\n

The real response to these challenges ought to be in reducing the amount of exploitable software reaching production in the first place rather than encouraging CISOs to \u201cpatch faster.\u201d<\/p>\n

Secure-by-design engineering, aggressive pre-release testing by top-tier bug hunters, architectural mitigations that shrink whole bug classes, and the ability to rebuild or isolate exposed systems quickly are all necessary but perhaps insufficient.<\/p>\n

The old assumption that defenders get a grace period after disclosure is no longer credible, according to Wysopal.<\/p>\n

\u201cWe are watching the collapse of the traditional patch window in real-time,\u201d Wysopal emphasizes. \u201cSecure by design is the only sustainable response, because once disclosure happens, the attacker\u2019s clock is already ticking.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The gap between vulnerability disclosure and exploitation is drastically decreasing, putting security teams\u2019 patching practices on notice. According to Rapid7\u2019s latest Cyber Threat Landscape Report, confirmed exploitation of newly disclosed high- and critical-severity vulnerabilities (CVSS 7-10) increased 105% year to 146 in 2025, up from 71 in 2024. Moreover, the median time from vulnerability publication […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7758","post","type-post","status-publish","format-standard","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7758"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7758"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7758\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}