Vulnerability Exploitation Now Top Attack Vector as Patch Times Worsen in 2026
A record 48,185 CVEs were published in 2025, a 20.6% increase over the prior year, while the median time to patch vulnerabilities rose 34% to 43 days. Verizon's 2026 Data Breach Investigations Report found that vulnerability exploitation surpassed credential abuse to become the most common initial attack method for the first time in the report's 19-year history. To address this, security experts recommend formalizing vulnerability remediation SLAs that set strict, severity-based patching deadlines — with critical flaws requiring fixes within 14 days. CISA's new federal directive, BOD 26-04, moves beyond simple CVSS scoring by requiring agencies to assess asset exposure and other contextual risk factors, with full compliance expected by December 7, 2026. Although the directive applies only to federal civilian agencies, CISA has urged private organizations to adopt similar frameworks, and cyber insurers and auditors are already following suit.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in