Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
RESOURCES TYPES
Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowJUNE 3, 2026
A data-driven analysis of CVE volume, exploitation speed, zero-day vs. n-day ratios, the most targeted technology categories, and sector-level distribution for the first half of 2026.
Mandiant’s M-Trends 2026 published a figure that reframes how vulnerability management must work: the mean time to exploit is now negative seven days. Not seven days after a patch is released. Negative seven. The average exploitation campaign begins a full week before the CVE is even publicly disclosed, before any patch exists, and before most security teams have any signal that a vulnerability is being actively weaponized.
The first half of 2026 confirms that this is not an edge case. It is the new operational baseline. CVE volume is growing faster than any enrichment or prioritization system can process. The share of vulnerabilities exploited before or on their disclosure date has reached 32 percent. And the technology categories being hit hardest, network edge devices, identity platforms, and a newly emerging AI infrastructure attack surface, are precisely the categories that traditional patch management programs handle most poorly.
This is Brandefense’s first-half vulnerability exploitation analysis. Every data point comes from a named, dated source. The H2 edition will follow in December with the second-half picture. The goal of both editions is the same: not a catalog of scary numbers, but a data-grounded answer to one operational question: what do threat actors actually use to get in, and how does that change what defenders need to prioritize?
| -7 days mean time to exploit (Mandiant M-Trends 2026): exploitation begins before patches exist | 55-60K CVEs projected for full-year 2026; Q1 alone one-third higher than Q1 2025 (NIST) | 32.1% of exploited CVEs hit on or before their CVE publication date : zero-day or pre-disclosure (VulnCheck) | 1,484 entries in CISA KEV as of H1 2026; +20% from 2025; 24 tagged as ransomware-specific |
Before diving into the data, two terms that appear throughout this analysis need a precise definition, because they describe structurally different threat scenarios that require different defenses.
A zero-day vulnerability is one that is being actively exploited while it is still unknown to the public, the vendor, and the defender. No patch exists because no one outside the attacker knows the vulnerability is there. Detection is impossible through standard patch-gap analysis because there is no disclosed CVE to check against.
An n-day vulnerability (where n = number of days since disclosure) is one that has been publicly disclosed and for which a patch typically exists, but which is still being exploited against organizations that have not yet applied the fix. ‘N’ can be 1 day, 30 days, 180 days, or, as CISA’s KEV catalog documents, 18 years. The n-day category is where the majority of successful exploits occur; not because zero-days aren’t dangerous, but because n-day exploitation scales across thousands of unpatched organizations at once.
The H1 2026 data shows both trends accelerating simultaneously: zero-day share is growing, and legacy n-day exploitation against organizations that have never patched known vulnerabilities is also growing. This is not a paradox; it reflects two distinct attacker populations operating at opposite ends of the capability spectrum, both finding success.
| 💡 The Negative Mean Time When Mandiant says mean time to exploit is -7 days, it means that if you average together all exploitation timings, the result is negative: exploitation typically begins before disclosure. This is a mean, not a median. It is heavily influenced by nation-state zero-day campaigns. The median exploitation timing is closer to 5-7 days post-disclosure. Both numbers tell the same story: patch windows have collapsed. |
The velocity of vulnerability disclosure has fundamentally changed the math of vulnerability management. In 2023, the National Vulnerability Database averaged approximately 80 new CVEs per day. In H1 2026, that figure has reached 131 per day, and the Q1 2026 submission rate suggests the annual total will land between 55,000 and 60,000; roughly double the volume of three years ago.
Three structural factors are driving this: AI-assisted vulnerability discovery has enabled researchers (and attackers) to surface software defects at machine speed; the CVE program’s expansion to additional CNA (CVE Numbering Authority) partners means more organizations have authority to assign CVEs directly; and the software attack surface itself is expanding with every new AI platform, cloud service, and connected device category added to enterprise environments.
| Year | Total CVEs | YoY Change | Daily Average |
| 2023 | ~29,000 | Baseline | ~80 / day |
| 2024 | ~40,009 | +38% | ~110 / day |
| 2025 | 48,185 | +20.6% | ~132 / day |
| 2026 (projected) | 55,000-60,000 | +14-25% | 131-165 / day |
Source: NIST NVD; CVE.org; Proofpoint Threat Research May 2026; Indusface Application Security Report 2026
The volume problem creates a prioritization crisis. Manual triage is no longer viable. CVSS scores, the industry-standard severity rating system, are becoming less reliable as prioritization signals because NVD’s enrichment capacity has not kept pace with CVE volume: a growing share of newly published CVEs arrive without CVSS scores, CWE classification, or CPE identifiers. Organizations that rely exclusively on CVSS scores to decide what to patch first are working from incomplete data on a significant and growing proportion of their vulnerability inventory.
| 💡 What Should Replace CVSS? The answer is not to abandon CVSS; it still provides useful severity context. The answer is to augment it with exploitation signals: EPSS (Exploit Prediction Scoring System) scores, which estimate exploitation probability based on real-world telemetry, and direct exploitation evidence from sources like the CISA KEV catalog, VulnCheck, and commercial threat intelligence feeds. A CVSS 6.5 vulnerability actively exploited by ransomware groups is a higher priority than a CVSS 9.8 vulnerability with no documented exploitation activity in your sector. |
Speed is the dimension of the 2026 vulnerability landscape that most fundamentally challenges traditional security operations. The window between ‘this vulnerability exists’ and ‘this vulnerability is being exploited against real targets’ has compressed to the point where, in the median case, the window is measured in days. In the worst cases, it is measured in hours; or it has already closed before the vulnerability is disclosed.
VulnCheck’s State of Exploitation 2026 analysis found that 28.96 percent of Known Exploited Vulnerabilities in 2025 were exploited on or before the day their CVE was published. H1 2026 has pushed that figure to 32.1 percent. This means that for roughly one in three exploited vulnerabilities, the defender has zero warning time from disclosure: by the time the CVE exists, exploitation has already begun.
Google’s Threat Intelligence Group counted 90 zero-days exploited in the wild in 2025, with enterprise technology representing an all-time high share of 48 percent of zero-day targets. State-sponsored actors, particularly those associated with China, Russia, and North Korea, account for the majority of enterprise-targeted zero-day exploitation. The resources required to discover and weaponize undisclosed vulnerabilities place this capability beyond most criminal actors, but the downstream effect; a shrinking window for defenders across all vulnerability types; affects every organization regardless of whether they are a direct state espionage target.
Among vulnerabilities that are disclosed before exploitation begins, the race between attacker weaponization and defender patching has shifted decisively in the attacker’s favor. Indusface’s 2026 research documents that 28.3 percent of exploited vulnerabilities were weaponized within 24 hours of disclosure. For high-priority vulnerability categories, network edge devices and identity platforms in particular, the sub-24-hour exploitation window is now the norm rather than the exception.
| Exploitation Timing | 2024 | 2025 | H1 2026 |
| Exploited before or on CVE publication date (zero-day) | 23.6% | 28.96% | 32.1% |
| Exploited within 24 hours of disclosure | ~20% | 28.3% | Accelerating |
| Exploited within 7 days of disclosure | ~40% | ~45% | ~50% (est.) |
| Exploited 30+ days after disclosure (classic n-day) | ~35% | ~25% | ~20% (est.) |
| Exploited 1+ year after disclosure (legacy n-day) | ~15% | ~18% | Growing: +34% KEV additions |
Source: VulnCheck State of Exploitation 2026; Mandiant M-Trends 2026; Indusface Application Security Report 2026
| 🔴 The Legacy N-Day Problem Nobody Talks About While attention focuses on zero-days and sub-24-hour exploitation, CISA added 94 pre-2025 vulnerabilities to the KEV catalog in 2025; a 34 percent increase from prior years. The oldest: CVE-2007-0671, an 18-year-old Microsoft Office Excel vulnerability still being actively exploited in 2025. The implication: patching new CVEs fast is necessary but not sufficient. Organizations also carry vulnerability debt from past years that attackers continue to exploit against systems that were never remediated. A comprehensive H1 2026 vulnerability program must address both the front end (new disclosures) and the long tail (legacy exposure inventory). |
Attackers select targets rationally: they prefer technologies with wide deployment (more potential victims), high access value (more damage per compromise), and slow patching cycles (longer exploitation windows). The H1 2026 targeting distribution reflects exactly this logic.
VulnCheck’s State of Exploitation 2026 report places network edge devices; VPN appliances, firewalls, network access controllers, and SD-WAN infrastructure; as the most targeted technology category. The Verizon DBIR confirmed that VPN and edge-device exploitation rose approximately 8x to 22 percent of initial-access cases in 2025. In H1 2026, the trend has continued: Fortinet, Cisco, Palo Alto Networks, and Ivanti products appear most frequently in active exploitation campaigns.
The reason is structural. Edge devices sit at the network boundary by design, they are internet-facing without additional authentication in many configurations, and they are significantly harder to patch than desktop software because patching often requires maintenance windows, planned downtime, and physical access. Proofpoint’s May 2026 analysis identified 12 distinct 2026 CVEs being actively exploited in network-facing attacks, compared to only 8 listed on CISA KEV at the same date; a 50 percent gap in attacker awareness versus public catalog coverage.
The second major target category is identity infrastructure: SSO providers, Active Directory, LDAP directories, and cloud identity platforms. An identity platform compromise does not provide access to one system. It provides access to every system connected to that identity fabric. CVE-2026-21509, targeting an identity platform component, was weaponized by North Korea-linked TA422 within 24 hours of disclosure; consistent with the pattern of sophisticated actors specifically prioritizing identity infrastructure for rapid exploitation.
H1 2026 marked the first time AI developer tooling appeared on the CISA KEV catalog as an actively exploited category. CVE-2026-39987 (remote code execution in the Marimo Python notebook platform) and CVE-2026-42208 (SQL injection in BerriAI’s LiteLLM AI proxy, which routes queries to multiple LLM providers) both reached KEV status. Proofpoint specifically flags these as a newly emerging class of targets: AI infrastructure platforms often hold broad network access, sensitive API credentials for cloud services and LLM providers, and large volumes of processed enterprise data. The security scrutiny applied to traditional web applications has not been consistently applied to AI infrastructure deployed in the same environments.
| ⚠️ 53% of Organizations Have at Least One Open Internet-Facing Vulnerability The Cyber Strategy Institute’s 2026 vulnerability report finds that 53 percent of organizations have at least one open internet-facing vulnerability, 22 percent have more than 1,000, and the median time to close half of all internet-facing vulnerabilities is 361 days. Against a sub-7-day exploitation window for high-priority vulnerabilities, 361 days means that most organizations are carrying an internet-facing exposure for the duration of the entire H1 2026 window analyzed in this blog. |
The following entries represent the most operationally significant CVEs of H1 2026 based on CISA KEV additions, confirmed exploitation breadth, and threat actor profile. Each reflects a different dimension of the exploitation landscape described above.
| CVE-2026-40982 | PAN-OS; Palo Alto Networks |
| CVSS: 9.8 (Critical) | Exploitation Type: Zero-day: exploited before disclosure Exploited By: State-sponsored actors (confirmed active exploitation) Impact: Buffer overflow enabling unauthenticated RCE on PAN-OS management interfaces. Added to CISA KEV March 2026. Represents the zero-day category: exploited against government and critical infrastructure targets before any patch existed. |
| CVE-2026-21509 | Identity Platform Component |
| CVSS: 9.1 (Critical) | Exploitation Type: N-day: weaponized within 24 hours Exploited By: TA422 (North Korea-linked, rapid n-day operator) Impact: Identity access platform RCE. TA422 deployed an exploit within 24 hours of public disclosure. Illustrates the sub-24-hour n-day window: patch existed but was not yet deployed by most organizations when exploitation began. |
| CVE-2025-53770 | Microsoft SharePoint (ToolShell chain) |
| CVSS: 9.8 (Critical) | Exploitation Type: Zero-day: pre-disclosure exploitation Exploited By: Multiple APT groups and ransomware operators Impact: Unauthenticated RCE on SharePoint Server; ToolShell attack chain enables full domain compromise from SharePoint. Confirmed victims include government agencies. Demonstrates zero-day exploitation by both state and criminal actors simultaneously. |
| CVE-2026-42208 | BerriAI LiteLLM; AI Infrastructure |
| CVSS: 8.8 (High) | Exploitation Type: N-day Exploited By: Attackers targeting AI infrastructure for credential extraction Impact: SQL injection enabling extraction of API keys and credentials from connected LLM providers and cloud services. First major AI infrastructure KEV of 2026. Signals the emergence of AI platforms as a distinct and undermonitored attack surface. |
| CVE-2025-64446 | Fortinet FortiWeb WAF |
| CVSS: 9.8 (Critical) | Exploitation Type: N-day Exploited By: Ransomware operators and initial access brokers Impact: Authentication bypass in FortiWeb affecting multiple versions. 87,000+ exposed instances at disclosure. Classic mass-exploitation pattern: automated scanning of every reachable instance within hours of public PoC availability. Actively sold as IAB access on dark web. |
| CVE-2025-54313 | eslint-config-prettier (npm) |
| CVSS: Critical | Exploitation Type: N-day: supply chain Exploited By: Unknown threat actor; software supply chain campaign Impact: Malicious code embedded in widely deployed npm package; executes on install and creates CI/CD attack vector. Added to CISA KEV January 2026. Part of the broader software supply chain exploitation pattern that also produced the Shai-Hulud worm campaign. |
Source: CISA KEV Catalog; Proofpoint Threat Research May 2026; HivePro KEV Digest March 2026; CybersecurityNews January 2026
Vulnerability exploitation is not uniformly distributed. The sectors facing the highest exploitation volume are not always those with the lowest defenses: some high-value targets attract sophisticated actors regardless of security investment. But the sectors with the longest remediation timelines face compounding risk: not just from the current period’s disclosures, but from accumulated unpatched exposure from prior years.
| Sector | Attack Volume | Median Days to Patch | Primary Exploit Type | Primary Threat Actor |
| Government | Very High | 30-60 days | Zero-day + rapid n-day | State-sponsored APT (China, Russia, NK) |
| Telecom | Very High | 60-90 days | Network edge device | Salt Typhoon, Volt Typhoon |
| Financial Services | High | 45-75 days | Authentication bypass, identity | Ransomware, FIN groups |
| Healthcare | High | 519 days | Legacy n-day, unpatched infra | Ransomware (24 KEV-linked groups) |
| Manufacturing | High | 180-270 days | OT/IT boundary, VPN, MFT | Ransomware, Clop |
| Technology | Very High | 30-45 days | AI tooling, CI/CD, SaaS | State APT, supply chain actors |
| Education | Medium-High | 577 days | CMS, remote access, VPN | Ransomware, opportunistic |
| Critical Infrastructure | High | 270+ days | Network edge, OT protocols | Volt Typhoon, Sandworm |
Source: Cyber Strategy Institute 2026; Forescout Sectoral Analysis; Dragos OT Threat Review; VulnCheck 2026
The 519-day median patching time in healthcare and 577-day median in education deserve special attention. Against an exploitation window that has compressed to under 7 days for high-priority vulnerabilities, these sectors are structurally incapable of outpacing attacker exploitation through patching alone. The 24 ransomware-linked KEV entries documented in 2025 targeted these sectors disproportionately. The implication is not that healthcare and education organizations should simply patch faster; operational constraints make that impossible for much of their infrastructure. The implication is that compensating controls (network segmentation, behavioral detection, access restriction) must carry the defensive burden that patching alone cannot.
The exploitation landscape in H1 2026 is driven by three structurally distinct attacker populations. They do not share targets, timelines, or objectives; but they share the same vulnerability pipeline.
More than half of the exploitation activity observed in H1 2025 was attributed to state-sponsored actors, a figure that has continued into H1 2026. Chinese APT groups; most notably Salt Typhoon targeting telecommunications backbone infrastructure and Volt Typhoon targeting critical infrastructure for persistent pre-positioning; represent the most active nation-state exploitation campaigns. Russian GRU-linked actors (Sandworm, APT28) continue targeting critical infrastructure and government networks. North Korean actors, particularly TA422, demonstrate sub-24-hour n-day weaponization as a documented capability.
These actors have the resources to discover and weaponize undisclosed vulnerabilities. They also benefit from a defensive asymmetry: their zero-day exploitation generates no CVE, no vendor advisory, and no patch to detect via gap analysis. Detection requires behavioral telemetry and threat intelligence that identifies attack patterns independent of CVE status.
Ransomware operators and the IABs who supply them operate primarily in the n-day space: exploiting vulnerabilities days to weeks after public disclosure against organizations that have not yet patched. This is an economic decision: n-day exploitation scales across thousands of unpatched organizations at once, generating far higher returns per exploit development investment than targeted zero-day campaigns.
73 of the 884 KEV vulnerabilities first exploited in 2025 were used to launch ransomware attacks. Clop continued its MFT exploitation playbook. Mandiant M-Trends 2026 documents the average IAB-to-ransomware handoff time at 22 seconds; meaning that once an IAB sells access to a ransomware affiliate, the time from purchase to active ransomware deployment in the victim environment has collapsed to under a minute. This makes initial access detection, not lateral movement detection, the operationally critical control layer.
The third category consists of automated campaigns that scan the entire public internet for any reachable instance of a newly disclosed vulnerable product. The 87,000 FortiWeb instances exposed at the time CVE-2025-64446 was disclosed represent exactly this target pool. Opportunistic exploitation is not targeted: it hits every unpatched internet-facing instance regardless of the organization’s sector, size, or perceived value. It is the automation of the n-day economy at mass scale.
Six operational conclusions emerge directly from the H1 2026 data. Each addresses a specific assumption in traditional vulnerability management that the data no longer supports.
| What the H1 2026 Data Says | What Your Program Needs to Do |
| Mean time to exploit = -7 days (Mandiant) | Sequential patch workflows cannot close the zero-day window. Compensating controls (segmentation, behavioral detection) must be ready to activate before patches exist for high-risk technology categories. |
| 32% of exploited CVEs hit on or before CVE publication date (VulnCheck) | CVSS-only prioritization leaves you working from incomplete risk signals. Augment with EPSS scores and real-time exploitation telemetry from multiple KEV-tracking sources. |
| 12 actively exploited 2026 CVEs vs. 8 in CISA KEV (Proofpoint, May 2026) | CISA KEV is a reliable but incomplete signal. Supplement with commercial threat intelligence and multiple KEV-tracking feeds to close the 50% visibility gap. |
| Healthcare: 519-day median patch time; exploitation window: sub-7 days | Sectors with structural patching constraints need compensating controls as primary defense, not patching velocity. Network segmentation, default-deny policies, and behavioral analytics carry the load that patching cannot. |
| AI tooling reaching KEV for the first time (CVE-2026-39987, CVE-2026-42208) | AI infrastructure platforms require the same external attack surface scanning and vulnerability monitoring applied to traditional web applications. This surface is new but already actively exploited. |
| 22-second IAB-to-ransomware handoff (Mandiant M-Trends 2026) | Detection at the lateral movement stage is too late. Dark web IAB monitoring for your organization’s credentials and infrastructure is the only layer that provides actionable response time before deployment. |
The H1 2026 data picture requires intelligence that operates at the speed of actual exploitation. Brandefense’s EASM and CTI platform provides three layers that address the specific gaps documented above.
| Brandefense Capability | H1 2026 Vulnerability Landscape Application |
| Continuous External Attack Surface Monitoring | Discovers and assesses all externally exposed assets including network edge devices, identity platforms, and AI tooling; cross-references discovered assets against active CISA KEV entries and exploitation telemetry in real time |
| Vulnerability Exploitation Intelligence | Dark web monitoring for exploit code, PoC releases, and threat actor discussions; provides early warning when vulnerabilities in your technology stack enter active exploitation cycles before KEV catalog addition |
| Threat Actor TTP Intelligence | Tracks which threat actor groups are actively exploiting which CVE families; enables prioritization based on the actual actors targeting your sector, not just generic CVSS severity rankings |
| Initial Access Broker Monitoring | Dark web surveillance for IAB listings targeting your organization; with a 22-second IAB-to-ransomware handoff, detection at IAB preparation stage is the only layer that provides real response time |
| Ransomware Group Exploitation Tracking | Real-time monitoring of ransomware KEV exploitation campaigns; cross-references your technology stack against active ransomware exploitation portfolios |
| 24/7 Analyst-Supported Escalation | High-severity findings involving active KEV exploitation against your specific technology stack receive immediate analyst escalation with remediation guidance |
| This is the H1 2026 edition of Brandefense’s half-year vulnerability exploitation trend series. The H2 2026 edition will be published in December 2026 covering the July-December exploitation period; trend comparisons to H1 will show whether the patterns documented here accelerated, stabilized, or shifted across the second half of the year. |
Take control of your digital security with an exclusive demo of our powerful threat management platform.
