Patch speed can’t match exploitation
An analysis of one billion CISA Known Exploited Vulnerability remediation records found that most critical flaws are weaponised before defenders can patch them, exposing the limits of human-driven response. The finding highlights why automation and prioritisation are becoming essential parts of security operations for large distributed estates (bleepingcomputer.com).
A software flaw is a broken lock in code, and a patch is the replacement part vendors ship after they find the lock is bad. This new data says attackers are often already inside the house before the replacement part even exists. (qualys.com) The dataset behind that claim is huge: more than 1 billion remediation records from 10,000 organizations, covering the years 2022 through 2025. Qualys says it focused on vulnerabilities from the United States Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, which is the government list of flaws already seen in real attacks. (qualys.com) (cisa.gov) The Known Exploited Vulnerabilities catalog is not a list of theoretical bugs. The Cybersecurity and Infrastructure Security Agency adds entries when there is evidence the flaw has been exploited in the wild and a concrete action defenders can take. (cisa.gov 1) (cisa.gov 2) That is why federal agencies get hard deadlines under Binding Operational Directive 22-01. When the Cybersecurity and Infrastructure Security Agency adds a flaw to the catalog, Federal Civilian Executive Branch agencies are required to fix it within a set timeframe instead of leaving it in the general patch queue. (cisa.gov) The surprise in the new analysis is the timing. Qualys says the average time to exploit has fallen to negative one day, which means attackers are weaponizing some critical flaws before a patch is publicly available. (cdn2.qualys.com) (bleepingcomputer.com) In its sample of 52 high-profile weaponized vulnerabilities with complete timelines, Qualys says 88 percent were remediated more slowly than they were exploited. It also says half were weaponized before public disclosure, which means some defenders were starting the race after the starter pistol had already fired. (cdn2.qualys.com) The volume is moving the wrong way too. Qualys says closed critical vulnerabilities rose from 73 million in 2022 to 473 million in 2025, but the share still open at Day 7 and Day 30 got worse instead of better. (cdn2.qualys.com) That points to a scale problem, not a laziness problem. A bank, hospital, retailer, or government agency can run tens of thousands of servers, laptops, cloud workloads, and network devices, and every patch has to be tested so it does not break payroll, patient systems, or production apps. (qualys.com) (cisa.gov) The old model was built for a slower internet, where security teams could review tickets by hand and schedule maintenance windows over days or weeks. Qualys argues that model fails when attackers can scan the internet, build exploits, and hit exposed systems in hours. (qualys.com) (bleepingcomputer.com) That is why the conversation is shifting from “patch everything” to “fix the few things attackers can actually reach first.” The Cybersecurity and Infrastructure Security Agency explicitly tells organizations to use the Known Exploited Vulnerabilities catalog as an input to prioritization, not as just another spreadsheet to file away. (cisa.gov) The practical answer is more automation in the middle of the process: automatically finding exposed systems, mapping which assets are internet-facing, pushing the right fix, and checking whether the fix really landed. Without that closed loop, a human team can still work hard and lose, simply because the clock is now running faster than people can click. (qualys.com) (bleepingcomputer.com)
