Global Vulnerability Intelligence

What 2026's Vulnerability Data Actually Tells Us

There were 48,000+ CVEs published in 2025. That is 131 every single day. Security teams across the world ran patching sprints, filed tickets, and updated dashboards. And yet, by the end of the year, only 256 of those vulnerabilities were ever exploited in a real attack. That is 0.53% of everything published.

This is not a success story. It is a sign that the industry may be measuring the wrong things. 

The Numbers Are Getting Bigger. The Real Threat Is Not.

CVE volume grew 139% in five years. The number actually exploited stayed flat. What this means in practice: for every real threat buried in that list, there are now 188 CVEs that will never matter. In 2021, that ratio was 1 in 79. The signal is getting harder to find, not easier.

This is what Hiveforce Labs calls the "Funnel of Relevance." The top of the funnel has exploded. The bottom, where real attacks happen, has barely moved.

Report References:
Hive Pro Global Vulnerability Intelligence Report
Verizon 2026 Data Breach Investigations Report
CrowdStrike 2026 Global Threat Report
SentinelOne - Annual Threat Report: A Defender's Guide from the Frontlines

The Window to Patch Has Already Closed

This is where the story gets uncomfortable.

Time to exploit a vulnerability since discovery:

Hive Pro / Zero Day Clock: Median time from disclosure to first exploit went from ~7 days in 2023 to just 4 hours in 2024. By 2025, exploitation was happening before disclosure for the majority of zero-days. The window is now negative.

Verizon DBIR 2025: For edge devices and VPN gateway, now 22% of all vulnerability-exploitation breaches, an eightfold jump from 3% the year before - the median time from disclosure to mass exploitation was zero days (versus 5 days for all KEVs). Attackers weren't waiting for a patch window, they were exploiting on the day the flaw went public.  

CrowdStrike 2026 Global Threat Report: Median time from disclosure to public exploit dropped to 24 days. In some cases, adversaries had working exploits before vendors had patches. 42% of exploited vulnerabilities were attacked before public disclosure.

SentinelOne 2026 Annual Threat Report: Does not report a single median figure, but its finding is arguably more alarming in practical terms: AI-driven automation now allows threat actors to scan the entire global IP space and begin weaponizing edge vulnerabilities within hours of a disclosure, often before most organizations have assessed whether they are even affected. SentinelOne's research made this most clear in the ArcaneDoor campaign, where attackers targeting legacy Cisco ASA devices moved from initial access to deploying firmware-level implants before the devices appeared in any patch advisory.

FieldCISO Conclusion: Every report agrees that the denominator is a trap. Hive Pro quantifies it most directly, patch-by-volume means you're chasing a number that doubles every few years while the ~250 that matter stay hidden deeper in the pile. Verizon shows the operational cost of that chase (you fall further behind on the KEVs that count). CrowdStrike and SentinelOne show that the attacker doesn't care about your backlog size at all. The takeaway is unanimous: Threat-informed prioritization isn't a best practice anymore, it's the only workable model.

CVSS Scores Are Misleading Your Team

Hive Pro: Severity-based triage fails in both directions. Of ~48,000 CVEs, roughly 19,600 were rated High or Critical, but only 210 of those were ever exploited. CVSS triage correctly flagged 210 real threats and buried them under 19,390 false alarms (a 99% over-prioritization rate). At the same time, 32 exploited CVEs were rated Medium or Low flaws that CVSS-first triage would have skipped entirely, actively weaponized by nation-state actors and ransomware crews while defenders looked elsewhere. As Ankit Mani, Head of Hiveforce Labs, puts it: "Attackers don't filter by severity; they filter by utility."

CrowdStrike 2026: Their attribution data backs the "utility over severity" thesis 67% of vulnerabilities exploited by China-nexus actors were chosen specifically because they delivered immediate system access, not because they carried the highest CVSS score. Access is the selection criterion, not severity. 

Verizon DBIR 2026: The KEV remediation collapse (26%) compounds the problem when you're already drowning in High/Critical tickets and only clearing a quarter of the known-exploited list. A Medium-rated flaw that's actively in use has essentially zero chance of being prioritized. The scoring model is actively manufacturing blind spots. 

SentinelOne 2026: Their case studies repeatedly feature flaws and edge devices that didn't top severity charts but sat in unmanaged blind spots, "the first step toward broader compromise." A poster child for the paradox: CVE-2025-8088 (WinRAR), scored a mid-range 8.8, was weaponized by Russia-aligned RomCom and later by multiple nation-state and criminal groups, a flaw that would have sat squarely in the middle of most patching queues. 

FieldCISO Conclusion: All four sources converge on a single uncomfortable truth: CVSS measures theoretical severity, attackers measure practical utility, and the two correlate poorly. Hive Pro quantifies the waste (19,390 false alarms) and the blind spot (32 under-rated exploited CVEs). CrowdStrike explains why attackers pick what they pick (immediate access). Verizon shows the operational squeeze that lets the under-rated flaws slip through. Severity should be a refinement in a multi-step model, exploiting evidence first, exploiting availability second, severity and asset context after, never the primary signal.

Security Tools Are Now the Biggest Target

Hive Pro: Here's the finding most organizations aren't prepared for: firewalls, VPNs, EDR, and IAM platforms account for the single largest category of exploited vulnerabilities, 15.2% of all wild exploits in 2025. The tools deployed to protect the network became its most exploited attack surface. The reason is structural: these appliances sit at the perimeter, exposed to the internet by design, and 23.8% of all exploited flaws required zero authentication. When your firewall's management console is reachable from the internet, you've handed attackers a front door. 

Verizon DBIR 2026: Edge devices and VPNs have been the fastest-growing exploitation surface for two years running in the 2025 DBIR, edge-device exploitation jumped nearly eightfold (3% → 22% of the vulnerability-exploitation action), and for edge KEVs, the median time from disclosure to mass exploitation was zero days. The 2026 report cements vulnerability exploitation as the initial access vector at 31%, overtaking credential abuse for the first time in the report's 19-year history. 

CrowdStrike 2026: 40% of China-nexus exploits targeted edge devices, and 67% delivered immediate system access. These devices sit outside standard endpoint visibility, which is precisely why they're chosen.

SentinelOne 2026: Their headline number on this is the sharpest: nearly 46% of recent zero-days targeted edge devices, "unmanaged blind spots and frequently the first step toward broader compromise." ArcaneDoor again is the worked example: legacy Cisco ASA devices chosen specifically because they sit outside endpoint telemetry, compromised with firmware implants that ran undetected for months. They also observed F5 BIG-IP devices used to pivot into VMware vSphere, and Check Point gateway flaws hit across dozens of organizations.

FieldCISO Conclusion: This is the most strikingly unanimous finding across all four reports, and it inverts a core assumption of defensive architecture. Hive Pro (15.2%), SentinelOne (~46% of zero days), CrowdStrike (40% of China-nexus), and Verizon ( vector, zero-day median exploitation on edge) are measuring the same elephant from four angles. The security perimeter is now the primary breach surface. 

Zero-Days: Nearly Half of What Actually Happened

Of the 256 CVEs exploited in real-world attacks in 2025, 104 (40.6%) were zero-days, meaning attackers exploited them before a patch was available.

According to the Verizon DBIR 2025, critical edge devices such as VPN gateways often faced mass exploitation on the same day vulnerabilities were disclosed. In many cases, there was simply no time to patch.

This challenges a common post-breach question:

   "Were we patched?"

For more than 40% of exploited vulnerabilities, there was no patch to apply.

Vendors with the Most Exploited Zero-Days

Familiar Vulnerabilities, Persistent Risk

The most common root causes were:

• Use-After-Free (CWE-416) – 12 instances

• Improper Input Validation

• Out-of-Bounds Write

These are decades-old vulnerability classes that continue to appear in modern software. The lesson is clear: patching remains essential, but it is no longer enough on its own. Organizations need layered defenses that assume some attacks will occur before fixes are available.

The Kill Chain Is Four Steps, Not One

Hive Pro: Exploitation objectives across the 256 real-world CVEs break down into a clear hierarchy: 50.4% delivered code execution, 16.4% intelligence harvesting / credential theft, 13.7% initial access via authentication bypass, 12.1% privilege escalation, and 5.5% existed solely to kill security controls (EDR evasion, sandbox escapes). And 25.4% of exploited CVEs were chained together in multi-vulnerability sequences. The classic modern chain: one CVE bypasses the VPN, a second escalates privileges, a third kills the EDR, a fourth deploys ransomware  four CVEs from four different categories, working as a single operation.SAP NetWeaver's CVE-2025-31324 drew nine distinct threat actors (six state-sponsored, three criminal) onto the same target.

CrowdStrike 2026: Speed makes the chain lethal. Average breakout time initial access to lateral movement dropped to 29 minutes in 2025, with the fastest observed at 27 seconds. In one recorded intrusion, data exfiltration began within 4 minutes of first access. The assumption that defenders can detect, investigate, and respond between initial access and damage is no longer valid for most organizations.

SentinelOne 2026: Their "Machine Multiplier" findings push this further into the absurd: a privilege-escalation chain completed in 30 milliseconds; a ScreenConnect-based attack installed a persistent service in 49 seconds; INC ransomware operators exfiltrated all data in 19 minutes. Automation has compressed the kill chain below the threshold of human response.

Verizon DBIR 2026: The chain starts where the data says it starts. Vulnerability exploitation is now the leading initial-access foothold (31%), and the human element still features in 62% of breaches. The "entry link" is increasingly an unauthenticated, internet-facing flaw rather than a stolen password.

FieldCISO Conclusion: No single CVE tells the story; the convergence does. Hive Pro maps the anatomy of the chain (and proves it's real with SAP NetWeaver's nine actors). CrowdStrike and SentinelOne prove the chain now executes faster than humans can react, minutes, seconds, milliseconds. Verizon confirms where it begins. Patching one link breaks the chain, but missing any one link hands the attacker the full path. Defense has to be chain-aware: start with the most exposed entry link, harden kernel/driver loading to break the escalation and EDR-kill steps, and assume you will not get a human-speed response window

AI Is Accelerating Both Sides

Hive Pro: AI is compressing the time-to-exploit curve toward zero. Attackers with AI can now reverse-engineer a vendor patch, identify the underlying flaw, and generate a working exploit in minutes, turning every security fix into an exploit blueprint and industrializing what was once a specialist craft. Defense is advancing too: Google's Big Sleep discovered CVE-2025-6965, a critical SQLite zero-day, before it could be exploited, the first documented case of an AI agent directly foiling a real-world zero-day. But the asymmetry is structural: defensive AI must find and close every path; the attacker needs only one. AI amplifies both sides, but it amplifies the side with cleaner, faster feedback loops first. 

CrowdStrike 2026: The offensive curve is now measured: an 89% year-over-year increase in AI-enabled attacks. Adversaries injected malicious prompts into legitimate GenAI tools at 90+ organizations, and a new class of LLM-built malware (e.g., LAMEHUG) appeared in the wild. Adam Meyers' summary: "This is an AI arms race."

Verizon DBIR 2026: A more measured read on the same trend: the median AI-assisted threat actor now operates across 15 MITRE ATT&CK techniques (some across 40 to 50), but fewer than 2.5% of AI-assisted malware observations involved genuinely novel methods. AI is scaling existing tradecraft, not (yet) inventing new attacks. 

SentinelOne 2026: Their position is the most operationally honest: mature automation is "finally outpacing adversaries" but only in environments that have connected AI insights to actual defensive outcomes. The gap between having AI tools and having an AI-driven defense capability is wide, and most organizations sit on the wrong side of it. 

FieldCISO Conclusion: The four reports together draw the most balanced picture available: AI is real, it's measurable on offense (CrowdStrike's 89%), it's mostly amplifying known techniques rather than inventing new ones (Verizon's <2.5% novel), and defensive wins exist but are conditional on execution (Big Sleep, SentinelOne's caveat). Hive Pro names the structural trap underneath it all: the side with the cleaner feedback loop wins the AI race, and right now that's the attacker. As frontier exploitation capabilities move toward wider availability, instant patching won't save you because patches break systems, and the window is already negative. Mitigation controls, such as IOAs/IOCs, segmentation, configuration hardening, and behavioral detection, are what reduce risk in real time.

What Actually Needs to Change

The Verizon 2026 DBIR summarized the remediation problem clearly: exploitation of vulnerabilities has now overtaken credential abuse as the leading initial access vector, accounting for 31% of breaches. Only 26% of critical known-exploited vulnerabilities were fully patched in 2025.

The patching treadmill is not going to speed up enough to close a gap that is measured in negative days.

The shift the data is pointing to is not a new tool or a bigger patching team. It is a change in the question being asked.

The old question: "What is left to patch?"

The new question: "What is being actively weaponized right now, and can we detect an exploitation attempt against it before it becomes a breach?"

In practice, this means:

Threat-informed prioritization first. Of the 48,000 CVEs published last year, only around 250 ended up in real attacks. Intelligence that identifies those 250 is worth more than any CVSS-based workflow.

Compensatory controls for zero-days. For the 40% of real-world exploits where no patch existed, the only viable defense is detection logic, network segmentation, and behavioral controls that catch exploitation attempts rather than waiting for a patch.

Treat security infrastructure as the highest-risk surface. Firewalls, VPNs, and EDR platforms are the most-exploited category. They need dedicated patching SLAs and management interfaces that are not reachable from the internet.

Validate, not just assume. Most organizations have network segmentation on paper. Very few have tested whether it actually holds against lateral movement techniques currently in use. The same gap exists for detection coverage.

Looking Ahead

The trends highlighted in 2025 are only accelerating. Hive Pro predicts CVE volume will continue to grow, exploitation timelines will shrink further, and supply chain compromises will impact larger numbers of organizations through a single point of failure.

At the same time, AI is reducing the gap between vulnerability disclosure and exploitation, enabling attackers to identify and weaponize weaknesses faster than ever.

The underlying math, however, remains unchanged. Tens of thousands of vulnerabilities will be published, but only a small fraction will drive real-world attacks. The challenge for security teams is not keeping up with volume. It is identifying what attackers are actively weaponizing and responding before it becomes a breach.

The future of vulnerability management is not patching more. It is prioritizing better. 

The organizations that make this shift first will have a significant advantage over those still measuring success by patch volume alone.