Vulnerability Exploitation Now Takes 1.6 Days, Not Months

Key Takeaways

• Median exploitation time has collapsed to 1.6 days from 4.2 months in 2023
• 42% of vulnerabilities are now exploited before patches exist
• Organizations relying on NVD-only alerts face dangerous delays

The Exploitation Window Has Collapsed

Picture this scenario: a critical remote code execution vulnerability is disclosed in a widely used VPN application. Your vulnerability alert service, assuming you have one, has not yet notified you. Within 24 hours, attackers have already identified and exploited the flaw. By the time your alert arrives, they are inside your network.

This is not a hypothetical. It is the new normal.

The numbers are stark. New vulnerabilities increased by 67% between 2023 and 2025. Exploited vulnerabilities rose by around 30% over the same period. In 2025 alone, 48,185 new CVEs were published. That works out to more than 130 disclosures per day.

But the real problem is not volume. It is speed. When attackers needed months to weaponize a vulnerability, security teams had breathing room. At 1.6 days, that room is gone.

“The window between disclosure and exploitation has effectively collapsed; if you aren't automating your alert-to-patch cycle, you've already lost.”

— Jen Easterly, Director of CISA

The Negative Window Era

The 1.6-day figure actually understates the problem. According to current research, 42% of vulnerabilities are now being exploited before public disclosure or patch availability. Security researchers call this the "negative window," and it represents a fundamental shift in the attacker-defender dynamic.

In practical terms, a negative window means attackers are not waiting for you to fail at patching. They are not even waiting for the vulnerability to be announced. They are finding and exploiting flaws while vendors are still writing fixes.

“In 2026, a vulnerability alert that arrives 24 hours after disclosure is essentially a post-mortem report, not an actionable warning.”

— Dr. Sarah Chen, Lead Researcher at the Cyber Strategy Institute

Once attackers gain initial access, they move fast. The average "breakout time" from initial access to lateral movement is now 29 minutes for modern eCrime actors. That is the window between detecting suspicious activity and having attackers entrenched across your network.

Why Traditional Approaches Are Failing

Most businesses underestimate how much software they run. Tracking hundreds or thousands of applications, libraries, and dependencies is overwhelming. A single missed alert or delayed patch can open the door to serious incidents.

In-house vulnerability management processes often appear cost-effective but cannot keep pace with modern threat velocity. The same problem affects services that rely solely on the National Vulnerability Database. The NVD has experienced significant delays publishing vulnerability information and has stopped processing lower-priority vulnerabilities entirely due to the sheer scale.

Community discussions on HackerNews and Reddit reflect growing frustration with "vulnerability noise." Many security engineers now advocate for filtering based on CISA's Known Exploited Vulnerabilities catalog rather than trying to track every CVE. As one Reddit commenter in r/cybersecurity put it: "If your alert service isn't integrated into the CI/CD pipeline for auto-remediation, it's just a subscription to anxiety."

What Real-Time Alerting Requires

Effective vulnerability alerting in 2026 requires several capabilities that legacy approaches cannot provide:

• Source-direct intelligence rather than NVD-dependent feeds
• Filtering by your actual software inventory, not generic categories
• Immediate delivery through multiple channels
• Remediation guidance included with the alert itself

Services like SecAlerts, which sponsored the original BleepingComputer report, obtain vulnerability information directly from vendors and researchers rather than waiting for NVD publication. This bypasses the delays that have plagued the national database.

The key advantages of rapid alerting include immediate awareness of emerging threats, reduced exposure windows, faster prioritization of patching and mitigations, and lower probability of financial or data losses.

The Business Continuity Equation

This is no longer just an IT problem. With exploitation times measured in hours rather than weeks, vulnerability management has become a primary determinant of business continuity. Critical infrastructure operators face the starkest version of this reality, but any organization handling sensitive data or customer systems is in the same race.

The math is simple. If attackers exploit vulnerabilities faster than you can patch them, you will eventually be compromised. The only variables are when and how badly.

Frequently Asked Questions

How long do attackers take to exploit new vulnerabilities in 2026?

The median time from CVE disclosure to active exploitation is now 1.6 days, down from 4.2 months in 2023. For 42% of vulnerabilities, exploitation happens before public disclosure.

Why is the National Vulnerability Database experiencing delays?

The NVD has been overwhelmed by the volume of new CVEs, now exceeding 130 per day. It has experienced significant publishing delays and stopped processing lower-priority vulnerabilities entirely.

What is breakout time in cybersecurity?

Breakout time is the interval between an attacker's initial access and their lateral movement to other systems. Modern eCrime actors average 29 minutes, giving defenders a very short window to detect and contain intrusions.

What is a negative exploitation window?

A negative window occurs when attackers exploit a vulnerability before it is publicly disclosed or patched. In 2026, 42% of vulnerabilities fall into this category.

Source: BleepingComputer