Patch race is losing to exploits

A software patch is a repair kit for a bug, and most company security programs still treat patching like a weekly maintenance job. Attackers do not: they treat a newly exposed bug like an unlocked door and often move before the repair crew even gets the parts. (blog.qualys.com) That gap showed up in a huge new dataset from Qualys: more than 1 billion Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities remediation records from 10,000 organizations between 2022 and 2025. The company says defenders fell behind attackers in 88% of the most critical, actively weaponized cases it studied. (blog.qualys.com) (bleepingcomputer.com) In half of those cases, the exploit showed up before a patch even existed. That means the old advice to “just patch faster” breaks down when the vendor has not shipped a fix yet. (blog.qualys.com) The Cybersecurity and Infrastructure Security Agency catalog matters here because it is not a list of theoretical bugs. It is the federal government’s running list of vulnerabilities with reliable evidence of real-world exploitation, and federal civilian agencies are required under Binding Operational Directive 22-01 to fix listed issues by CISA deadlines. (cisa.gov 1) (cisa.gov 2) As of April 11, 2026, the Known Exploited Vulnerabilities catalog showed 1,559 entries, including fresh additions such as Ivanti Endpoint Manager Mobile issue CVE-2026-1340 and Fortinet FortiClient Enterprise Management Server issue CVE-2026-35616. Those entries carry due dates measured in days, which shows how little time defenders get once exploitation is confirmed. (cisa.gov) Qualys says the failure is structural, not just a staffing problem. Its data found that the share of critical vulnerabilities still open at Day 7 and Day 30 got worse over time even as teams closed far more total issues, which is like a hospital treating more patients every year while the emergency-room line still gets longer. (blog.qualys.com) The company’s report adds a metric called Average Window of Exposure, which measures the full span from the moment a bug becomes weaponized to the moment it is fixed across the environment. That is a more useful clock than mean time to remediate, because attackers care about how long the door stays open, not how fast the ticket moved through an internal workflow. (blog.qualys.com) One example in the report is Follina, the Microsoft Support Diagnostic Tool flaw from 2022. Qualys says one organization accumulated 33,000 exposure-days on that single bug, and 80% of the exposure sat outside the short sprint windows that dashboards usually highlight. (blog.qualys.com) The uncomfortable part is that patching still works when it is tightly operationalized. Qualys found that 15% of organizations had patched by the point a vulnerability was added to the Known Exploited Vulnerabilities list, which suggests the race is not impossible but is already beyond human-scale manual processes for most enterprises. (blog.qualys.com) That is why security teams keep talking about prioritization and compensating controls instead of promising to patch everything instantly. If a fix is not ready or a production system cannot be rebooted this week, defenders need other brakes like network isolation, application-layer filtering, disabling exposed features, or taking the product offline until the patch can land. (cisa.gov 1) (cisa.gov 2) The story in these records is simple: the patch queue is growing on calendar time, while exploitation is moving on attacker time. When one side works in monthly change windows and the other side works in hours or days, the math eventually stops working. (blog.qualys.com) (bleepingcomputer.com)