Exploit speeds hit under 24 hours

Software vulnerabilities used to give defenders a little breathing room. Not a lot, but enough to read the advisory, test a patch, and schedule the change. That gap is col(verizon.com)racking from VulnCheck all point the same way — attackers are moving from disclosure to usable access so fast that “patch next week” is starting to sound like “probably too late.” (verizon.co([cloud.google.com) shift is that vulnerability exploitation is no longer a secondary path into networks. Verizon’s 2025 DBIR says it rose 34% year over year as an initial access vector and now shows (cloud.google.com)st everything. (verizon.com) ### Why are exploits landing so fast? Because the patch itself is often the roadmap. Once a vendor ships a fix, skilled attackers can diff the old and new code, spot what changed, and reconstruct the bug. That is not hypothetical anymore — offensive researchers openly describe patch-diffing workflows, and the broader trend data shows the resu(verizon.com) days across 2021–2022. (labs.watchtowr.com) ### Is “under 24 hours” real? Yes — and sometimes the window is even worse than that. VulnCheck’s 1H 2025 exploitation report says 32.1% of vulnerabilities with newly observed in-the-wild exploitation had evidence of exploitation on or (verizon.com)etimes call one-days — bugs that get burned almost immediately once defenders learn they exist. (wwv.vulncheck.com) ### Where are attackers aiming? At exposed software and edge systems first. Google Cloud’s threat reporting says software exploitation overtook weak credentials as the leading initial access vector in the second half of 2025 in the incidents i(labs.watchtowr.com)they often sit internet-facing and lack the telemetry defenders have on laptops and servers. (cloud.google.com) ### Why does that hurt defenders so much? Because patching is only one step in a longer chain. You still have to know the asset exists, know it is exposed, know whethe(wwv.vulncheck.com) Attackers only need one exposed target. Defenders need inventory, prioritization, approvals, and coverage — all before the exploit wave hits. That is why CISA keeps expanding the Known Exploited Vulnerabilities catalog as a live list of bugs already being used in the wild. (cisa.gov) ### Does AI make this worse? Probably yes, mostly by speeding up the early boring parts. Google’s cloud threat(cloud.google.com)s attack chains moving faster after initial access, with handoffs to secondary operators sometimes happening in under 30 seconds. Different metric, same lesson — the whole intrusion timeline is compressing. (cloud.google.com) ### So what should defenders do differently? Treat every high-severity internet-facing vulnerability like an active incident until proven otherwise. Patch fast when you can, but don’t wait on (cisa.gov)rotate credentials that may be reachable, add detections, and hunt for signs of compromise immediately. Basically, the patch window is now a containment window. (cloud.google.com) ### Bottom line The story is not just that exploitation is rising. It is that speed itself has become the advantage. When a meaningful share of exploited bugs are getting hit on disclosure day, the old weekly patch cycle stops being a plan and starts being a liability. (verizon.com)