Vulnerability flood outpaces patching

Software vulnerability management just crossed from hard into structurally broken. That is the real story here. A new commentary from Ariel Parnes at SC Media on May 8 used Anthropic’s Mythos testing results as the sharpest example yet — thousands of zero-days found in weeks, with more than 99% still unpatched when disclosed. That did not create the problem, but it made the gap impossible to ignore. ### Why does patching stop working? Because the inflow is outrunning the repair crew. The CVE program now has more than 331,000 published records, and NIST’s National Vulnerability Database shows 24,020 CVEs received so far in 2026 alone. CISA’s Known Exploited Vulnerabilities catalog — the short list of bugs already used in real attacks — stood at 1,590 entries when checked today. That means defenders are not choosing from a neat queue of known issues. They are triaging a flood. (scworld.com) ### What changed this year? AI made discovery cheaper and faster. Parnes points to Mythos as the moment the industry had to say the quiet part out loud: even if patching was already lagging, machine-speed discovery widens the gap further. The catch is that disclosure helps defenders and attackers at the same time. Once a flaw is named, scored, and turned into scanner signatures, everyone gets the map. (cve.org) ### Are attackers really getting in through vulnerabilities? Yes — and not as a niche path. Verizon’s 2025 DBIR says exploited vulnerabilities reached 20% of breach initial access, nearly level with credential abuse at 22%. Mandiant’s M-Trends 2025 goes further: exploits were the most common initial infection vector for the fifth straight year, showing up in 33% of cases. Basically, the old advice to “just patch better” is colliding with how intrusions actually start. (scworld.com) ### So what replaces “patch everything”? Prioritization, detection, and containment. CISA explicitly says the KEV catalog should feed a vulnerability prioritization framework, not a fantasy of universal immediate remediation. Mandiant’s practical advice lines up with that — deploy stronger detection, scan continuously, prioritize by risk, and rehearse response. The point is not that patching no longer matters. It does. But patching is now one control inside a broader exposure-management loop. (its.ny.gov) ### Why does this hit power and industrial projects harder? Because OT systems age badly and change slowly. CISA’s OT asset inventory guidance from August 2025 says owners and operators need a regularly updated inventory plus a taxonomy that classifies assets by function and criticality. In plain English, if you do not know which PLC, gateway, firewall, HMI, battery controller, or firmware version you own, you cannot prioritize fixes or respond cleanly when something breaks. (cisa.gov) ### What should handover teams actually document? Three things first — firmware, ownership, and response. Firmware versions tell you whether a device is exposed. Account ownership tells you who can touch it. Response plans tell you what happens when a controller cannot be patched on normal IT timelines. That is especially important for SCADA, BESS controls, and other networked field devices that may sit in service for years. CISA’s asset-life-cycle framing is basically a warning against commissioning assets with no cyber paper trail. (cisa.gov) ### Where is this heading? Toward a world where defenders assume some exploitable flaws will remain open. That shifts money and attention toward exposure management, anomaly detection, segmentation, and faster incident response. The vulnerability flood is not a temporary backlog. It is the new operating environment. (scworld.com) (cisa.gov)