Exploits outpacing patching

Attackers are now exploiting some software flaws before defenders can patch them, and the gap is showing up at Adobe, federal warning lists, and software build pipelines. (qualys.com) (cisa.gov) (openai.com) Qualys said its 2026 report analyzed more than 1 billion Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities remediation records across 10,000 organizations from 2022 through 2025. The company said manual remediation failed to keep pace with attackers 88% of the time for the most critical, actively weaponized flaws it studied. (qualys.com) The report said half of those vulnerabilities were weaponized before a patch existed, a timeline Qualys described as “negative one day.” It also said 15% of organizations that operationalized remediation were patched by the time a flaw was added to the federal exploited-vulnerability list. (qualys.com) A software vulnerability is a coding mistake that can be turned into a break-in, and patching is the vendor’s repair process after the flaw is found. When exploitation starts before that repair is available, security teams are left relying on workarounds, network blocks, or rapid software replacement instead of routine updates. (nvd.nist.gov) (qualys.com) Adobe’s latest example is CVE-2026-34621, a flaw in Acrobat Reader that the National Vulnerability Database says can lead to arbitrary code execution if a user opens a malicious file. The database lists affected Acrobat Reader versions as 24.001.30356, 26.001.21367, and earlier, and shows the record was published on April 11, 2026 and modified on April 12, 2026. (nvd.nist.gov) The federal catalog that tracks real-world exploitation also grew last week. The Cybersecurity and Infrastructure Security Agency added Ivanti Endpoint Manager Mobile flaw CVE-2026-1340 on April 8, 2026 and Fortinet FortiClient Enterprise Management Server flaw CVE-2026-35616 on April 6, 2026, with remediation deadlines of April 11 and April 9 for federal agencies. (cisa.gov) Ivanti Endpoint Manager Mobile is mobile device management software, the administrative system companies use to control phones and tablets from a central console. The Cybersecurity and Infrastructure Security Agency said CVE-2026-1340 could allow unauthenticated remote code execution, meaning an attacker may not need a valid account to run code on an exposed server. (cisa.gov) The same pressure is hitting software supply chains, where developers automatically pull outside code into internal build systems. OpenAI said on April 10, 2026 that a GitHub Actions workflow in its macOS app-signing process downloaded and executed malicious Axios version 1.14.1 on March 31, 2026 Coordinated Universal Time. (openai.com) OpenAI said the workflow had access to a certificate and notarization material used to sign ChatGPT Desktop, Codex App, Codex Command Line Interface, and Atlas for macOS. The company said it found no evidence that user data, internal systems, intellectual property, or published software were compromised, but it revoked and rotated the certificate anyway. (openai.com) That certificate is the digital stamp Apple users see when software is identified as coming from a known developer. OpenAI said older versions of its macOS desktop apps will stop receiving updates or support, and may not function, after May 8, 2026. (openai.com) The pattern across these cases is that defenders are no longer racing only to deploy patches after a vendor release. They are also racing to detect live exploitation, isolate exposed systems, and replace trust material such as signing certificates before attackers can reuse it. (qualys.com) (cisa.gov) (openai.com)