KEV shows patching lag
An analysis of one billion CISA Known Exploited Vulnerabilities (KEV) remediation records found most critical flaws are being exploited before defenders can patch them, underscoring that patching alone is losing the race to adversaries. The practical takeaway pushed in the same briefing was to treat vulnerability status as a live input into identity analytics—correlating KEV exposure with privileged logins, first‑seen sign‑ins, and asset criticality to surface higher‑risk identity events. (bleepingcomputer.com)
A software flaw is like a broken lock on a building, and a patch is the replacement part. The problem in this new data is that attackers are often getting through the door before the replacement part even arrives. (blog.qualys.com) Qualys said it analyzed more than 1 billion remediation records across 10,000 organizations from 2022 through 2025. Its conclusion was blunt: this is not mainly a speed problem for security teams, but a structural problem in how patching works at scale. (blog.qualys.com) The data set tracks flaws from the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. That catalog is the federal government’s running list of software bugs that have already been used in real attacks. (cisa.gov) For federal civilian agencies, the catalog is not just advice. Binding Operational Directive 22-01 requires those agencies to fix listed flaws by deadlines set by the Cybersecurity and Infrastructure Security Agency. (cisa.gov) What makes the new study uncomfortable is the timing. Qualys said most critical Known Exploited Vulnerabilities are being exploited before defenders can patch them, which means the usual “find bug, open ticket, wait for maintenance window” routine is losing the race. (bleepingcomputer.com) You can see that race in a recent example. BeyondTrust disclosed a critical operating system command injection flaw on February 2, 2026, after detecting anomalous activity on January 31, and the company said its cloud customers were patched automatically while self-hosted customers had to apply fixes themselves. (beyondtrust.com) By February 13, 2026, the Cybersecurity and Infrastructure Security Agency had added that BeyondTrust flaw, tracked as Common Vulnerabilities and Exposures identifier CVE-2026-1731, to the Known Exploited Vulnerabilities catalog because there was evidence of active exploitation. That is the exact nightmare scenario for defenders: exploitation first, cleanup second. (cisa.gov) A patch only helps after three separate things happen: the vendor ships it, the defender tests it, and the defender installs it on the right machine. Attackers only need one exposed system and one working exploit chain. (blog.qualys.com) That is why the practical advice in the same briefing shifted away from treating vulnerability data as a static spreadsheet. The recommendation was to feed Known Exploited Vulnerabilities status directly into identity monitoring, so a risky machine also makes the login tied to it look riskier. (bleepingcomputer.com) In plain terms, a privileged login on a server with a known exploited flaw should not be scored the same way as a privileged login on a fully patched laptop. The same goes for a first-seen sign-in hitting a critical asset that is still exposed to a flaw already being used in the wild. (bleepingcomputer.com) The shift here is from asking “Was the patch applied yet?” to asking “Who is touching the exposed system right now?” When patching lags behind exploitation, the fastest useful signal may be the identity event that lands on the vulnerable box before the maintenance team gets there. (blog.qualys.com)
