Exploit timelines collapsed

Rapid7’s dataset shows the count of exploited high- and critical-severity CVEs rose from 71 in 2024 to 146 in 2025. (rapid7.com) The report documents a sharp shortening in time-to-catalog: the mean interval for a vulnerability to reach CISA’s Known Exploited Vulnerabilities list fell from 61.0 days to 28.5 days. (rapid7.com) Valid accounts lacking robust multi‑factor authentication were the single largest initial access vector, appearing in 43.9% of Rapid7 incident response investigations in 2025. (rapid7.com) Ransomware featured in 42% of Rapid7’s MDR incident response cases in 2025, while public leak-site activity increased from 6,034 posts in 2024 to 8,835 in 2025, a 46.4% year‑over‑year rise. (rapid7.com) Rapid7 combined vulnerability publication records, MDR telemetry, dark‑web monitoring and nation‑state intelligence to correlate exposure to actual compromise across its analysis. (rapid7.com) The report highlights a decline in the pool of “high‑risk but not yet exploited” CVEs as threat actors increasingly operationalized high‑probability vulnerabilities within the observation window used by Rapid7. (rapid7.com) Rapid7 frames its conclusions around the need for preemptive security operations and tighter integration of curated intelligence and automation into vulnerability management workflows. (rapid7.com)