When Progress Software disclosed a critical flaw in its MOVEit file-transfer tool in May 2023, the Cl0p ransomware group had already been exploiting it. Within days, thousands of organizations across government, healthcare, and finance were compromised. That timeline was not unusual. According to Rapid7’s 2024 Attack Intelligence Report, which analyzed major vulnerability events across the prior year, more than a third of widely exploited vulnerabilities were weaponized within the first day of public disclosure. Separate U.S. government advisory data from CISA, the FBI, the NSA, and allied intelligence agencies confirms the same pattern: attackers routinely hit newly disclosed flaws before most organizations have finished reading the advisory, let alone deploying a patch.
The gap between how fast attackers move and how fast defenders respond is not new, but it is getting worse. And it affects everyone from Fortune 500 companies to hospitals, school districts, and the small businesses that run on software they never think about until something breaks.
How fast attackers actually move
The clearest public evidence comes from two places. First, the joint advisory published in November 2024 by CISA and its partners catalogs the most routinely exploited vulnerabilities of 2023. The list reads like a roster of enterprise infrastructure: Citrix NetScaler (CVE-2023-4966, known as “Citrix Bleed”), Fortinet FortiOS (CVE-2023-27997), and Cisco IOS XE (CVE-2023-20198), among others. In each case, exploitation began rapidly after disclosure and recurred across sectors for months.
Second, Rapid7’s annual research, which draws on the company’s managed detection telemetry and public incident data, found that the share of vulnerabilities exploited as zero-days (before any patch exists) or within the first day of disclosure has climbed steadily. Their 2024 report noted that 36% of the widely exploited vulnerabilities they tracked were hit on day one. That figure aligns with the roughly 28% threshold cited across multiple industry analyses when the denominator includes all disclosed flaws, not just the most prominent ones.
CISA’s Binding Operational Directive 22-01, issued in November 2021 and still in force as of June 2026, compels all federal civilian agencies to remediate known exploited vulnerabilities within strict deadlines. The directive exists precisely because the old model of quarterly patching cycles could not keep pace with attackers who treat every new disclosure as a starting gun. The accompanying Known Exploited Vulnerabilities (KEV) catalog now lists more than 1,100 entries, each representing a flaw confirmed to have been used against real targets in the wild.
Why most defenders still cannot keep up
The federal mandate applies to government agencies. Most private-sector organizations operate without equivalent requirements, and their patch timelines reflect that. According to the Ponemon Institute’s research on vulnerability response, the average enterprise takes 60 to 150 days to remediate a critical vulnerability. Even organizations with mature security programs often need a week or more to move from advisory to deployment, factoring in change-control boards, testing windows, and the sheer complexity of knowing which systems are affected.
That lag creates a window measured in days or weeks where attackers have a working exploit and defenders have not yet acted. For the 28% of flaws exploited within the first 24 hours, the math is stark: by the time a typical security team convenes its first triage meeting, the vulnerability may already be under active attack.
Smaller organizations face an even steeper challenge. A 50-person company without a dedicated security team may not monitor CISA advisories at all. A rural hospital running legacy systems may lack the staff to test and deploy a patch within any reasonable window. The speed-of-exploitation problem is not just a Fortune 500 concern; it scales down to every organization that depends on networked software.
What the MOVEit and Citrix Bleed incidents revealed
Two incidents from 2023 illustrate the real-world cost of the speed gap.
The MOVEit breach, disclosed in late May 2023, ultimately affected more than 2,700 organizations and exposed the personal data of over 90 million individuals, according to tallies maintained by security researchers at Emsisoft. The Cl0p group had begun exploiting the flaw before Progress Software issued its advisory. Organizations that depended on MOVEit for sensitive file transfers, including payroll processors, state agencies, and healthcare providers, had no patch to apply when the attacks started.
Citrix Bleed (CVE-2023-4966) followed a different but equally damaging pattern. Citrix released a patch in October 2023, but exploitation was already underway. Mandiant confirmed that session tokens stolen through the vulnerability allowed attackers to bypass multifactor authentication entirely. Weeks after the patch was available, thousands of exposed NetScaler instances remained unpatched, and ransomware groups including LockBit used the flaw to breach targets in logistics, legal services, and aerospace.
In both cases, the organizations hit hardest were not those with the weakest security budgets. They were the ones whose response processes assumed they had days or weeks of breathing room after a disclosure. They did not.
What defenders should do now
For organizations that have not yet aligned their vulnerability management with the federal approach, the most immediate step is to subscribe to CISA’s KEV catalog and treat every new addition as a high-priority remediation event. The catalog is updated on a rolling basis, and each entry reflects confirmed exploitation, not theoretical risk. Prioritizing KEV entries over generic severity scores compresses the window attackers rely on.
Beyond triage, the data makes a strong case for automating patch deployment wherever possible. If a quarter or more of vulnerabilities face exploitation within 24 hours, manual change-control processes that require weekly meetings and multi-step approvals will inevitably leave systems exposed. Organizations should identify classes of lower-risk changes, such as browser updates, endpoint agent patches, or non-critical service fixes, that can be rolled out automatically after limited testing. For higher-risk changes, pre-approved playbooks and emergency patching windows can shorten decision times without sacrificing governance.
Asset visibility is equally critical. A team cannot patch what it does not know it owns. Maintaining an accurate inventory of internet-facing services, third-party software, and shadow IT allows security staff to map a new vulnerability to specific assets within hours. When a critical flaw drops, responders need to answer three questions fast: where the affected software runs, whether it is exposed to untrusted networks, and what compensating controls exist if an immediate patch is not available.
Compensating controls matter because patches are not always ready on day one. When they are not, organizations should lean on network segmentation, virtual patching through web application firewalls or intrusion prevention systems, and rapid configuration changes such as disabling vulnerable features. These measures do not eliminate risk, but they narrow the attack surface during the most dangerous hours between disclosure and remediation.
The metric that matters most
Security maturity frameworks and compliance checklists have their place, but the speed-of-exploitation data points to a simpler measure of readiness: how many hours pass between a critical disclosure and the moment your organization has either patched or applied a compensating control to every affected system?
Tracking that number, sometimes called mean time to remediate for critical vulnerabilities, against the federally observed exploitation window gives security leaders a concrete view of whether they are closing the gap or falling behind. Organizations that can consistently respond within 24 to 72 hours for KEV-listed flaws are operating in the range the threat environment demands. Those that cannot are, statistically, leaving the door open during the period when attackers are most likely to walk through it.
The federal data does not guarantee that any particular organization will be targeted within a day of the next disclosure. But it establishes a clear lower bound on attacker speed. Planning for anything slower than that is planning to lose.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
