When Progress Software disclosed a critical flaw in its MOVEit file-transfer tool in May 2023, the Cl0p ransomware gang had already been exploiting it for weeks. When Citrix warned of a session-hijacking bug in NetScaler later that year, proof-of-concept code hit GitHub within hours. These were not outliers. According to Mandiant’s M-Trends 2024 report, which analyzed intrusions investigated throughout 2023, 28% of the vulnerabilities the firm tracked were turned into working exploits within 24 hours of public disclosure.
That figure lands at a moment when the gap between disclosure and exploitation has been compressing for years, and it carries a blunt implication: for roughly one in four newly published flaws, attackers are already inside the window before most security teams have finished reading the advisory.
The federal government saw this coming
The clearest institutional acknowledgment that traditional patch cycles have fallen behind arrived in November 2021, when the U.S. Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 22-01. The mandate compels federal civilian agencies to remediate vulnerabilities that are confirmed to be exploited in the wild, with deadlines as tight as two weeks for the most severe flaws. It was not a suggestion. It carried the force of law, and its existence reflected an internal consensus across U.S. intelligence and cybersecurity agencies: monthly patch Tuesday schedules no longer match the tempo of real-world attacks.
To support the directive, CISA built and maintains the Known Exploited Vulnerabilities (KEV) Catalog, a running list of CVEs the agency has confirmed are being used against real targets. Each entry is backed by observed exploitation evidence, not predictive risk scoring. The catalog passed 1,000 entries in 2024, and as of early 2026 it continues to grow. In CISA’s own analysis of the 1,000-entry milestone, the agency concluded that vulnerabilities are being exploited faster than ever and that defenders need to fundamentally rethink how they allocate limited remediation resources.
The pattern the catalog reveals is consistent with Mandiant’s 28% finding. Edge-facing devices, file-transfer platforms, VPN appliances, and browser engines appear disproportionately among the fastest-exploited entries. These are the attack surfaces that sit directly on the internet, where scanning is cheap and payoff is immediate.
Who is moving this fast, and why
The speed is not coming from a single threat actor or motivation. Mandiant’s incident-response caseload spans financially motivated ransomware crews, state-sponsored espionage groups, and opportunistic criminals who buy or build exploits for freshly disclosed bugs. Several dynamics are compressing the timeline simultaneously:
- Automated scanning at scale. Groups like Cl0p and LockBit affiliates use mass-scanning infrastructure that can sweep the internet for a newly disclosed vulnerability within hours of a CVE publication or vendor advisory.
- Rapid exploit development ecosystems. Proof-of-concept code frequently appears on GitHub or exploit-sharing forums within a day of disclosure. Even when the initial PoC is unreliable, it gives skilled attackers a head start on building something operational.
- Zero-day brokers and pre-disclosure exploitation. Mandiant’s M-Trends data also tracks zero-day exploitation, where attackers use a flaw before any public disclosure occurs at all. In those cases, the 24-hour clock is irrelevant because the attacker had a running start.
- Patch-diffing. When a vendor ships a fix, reverse engineers can compare the patched code to the unpatched version and identify the exact flaw within hours, then build an exploit targeting organizations that have not yet updated.
The net effect is an environment where disclosure itself can function as a starting gun for attackers, not just defenders.
What the data does and does not tell us
Mandiant’s 28% figure is drawn from the firm’s own incident-response and threat-intelligence work during 2023, as published in M-Trends 2024. The report does not make its full vulnerability dataset or precise definition of “weaponized” publicly available in granular detail, which means the number should be understood as directional rather than a universally replicable measurement. A proof-of-concept posted to a research blog and a reliable exploit embedded in a ransomware payload represent different levels of operational risk, and the boundary between them matters.
That said, the figure aligns with what CISA’s catalog data independently shows: a meaningful and growing share of disclosed vulnerabilities face real-world exploitation attempts within days, not weeks. Microsoft’s Digital Defense Report 2024 similarly noted that the time between vulnerability disclosure and widespread exploitation has shortened, with some flaws seeing exploitation attempts within hours of patch release.
Where the evidence thins out is on the defender side. No published dataset quantifies how quickly private-sector organizations actually apply patches once exploitation is confirmed. CISA’s directive sets remediation windows for federal agencies, but voluntary adoption of those timelines outside government remains anecdotal. The gap between “exploit available in 24 hours” and “patch applied in 24 hours” is almost certainly large for most organizations, but precisely how large is an open question.
What security teams should do now
The practical response does not depend on whether the exact figure is 28% or some nearby number. The convergence of federal policy, CISA catalog data, and private-sector research all points the same direction: calendar-driven patching, where updates roll out on a fixed monthly schedule, is no longer a defensible default.
Security teams that have not yet built their triage workflows around the KEV Catalog should start there. Mapping internal asset inventories against catalog entries and setting remediation timelines that mirror BOD 22-01’s windows, even without a federal compliance obligation, is the most concrete first step available. Supplementing the catalog with CISA’s Vulnrichment enrichment data and the Exploit Prediction Scoring System (EPSS), which estimates the probability that a CVE will be exploited in the next 30 days, can help teams prioritize the flaws that have not yet appeared in the catalog but are statistically likely to be targeted soon.
Beyond patching, organizations should assume that for internet-facing systems, exploitation may arrive before any fix is available. Network segmentation, application-layer monitoring, and rapid containment playbooks are not substitutes for patching, but they buy time when the patch has not shipped yet or cannot be applied immediately. The organizations that weathered MOVEit and Citrix Bleed with the least damage were not necessarily the fastest patchers. They were the ones that detected lateral movement early and contained it before data left the network.
Attackers have made their timeline clear. The question for defenders is whether their own response clock can keep up.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
