When Ivanti disclosed a critical flaw in its Connect Secure VPN gateway in January 2024, attackers did not wait for organizations to patch. Exploitation began within hours, and by the time most IT teams had even read the advisory, threat actors were already tunneling into corporate networks. That episode was not an outlier. According to Mandiant, the Google-owned threat intelligence firm, roughly 28 percent of newly disclosed vulnerabilities are now weaponized within 24 hours of becoming public, a finding detailed in the company’s annual M-Trends reporting.
The statistic captures a shift that security teams have felt for years but can now quantify: the traditional window between a vendor releasing a patch and a defender applying it has, for a significant share of flaws, collapsed to nearly nothing. And the consequences are playing out across industries, from healthcare systems locked by ransomware to government agencies scrambling to contain breaches that started with a vulnerability disclosed just days earlier.
The federal government already treats this as an emergency
Washington’s response to accelerating exploitation is already codified in policy. In November 2021, the U.S. Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 22-01, titled “Reducing the Significant Risk of Known Exploited Vulnerabilities.” The directive requires every federal civilian agency to remediate vulnerabilities confirmed as actively exploited within strict, mandated timelines. It was a deliberate departure from the old model, where agencies prioritized patches based on vendor severity scores and their own internal schedules.
The enforcement mechanism behind the directive is CISA’s Known Exploited Vulnerabilities (KEV) catalog, a continuously updated list of CVEs with confirmed real-world exploitation. Each entry represents a vulnerability that CISA has verified is being used in actual intrusions, not just theoretically exploitable. When a new CVE lands in the catalog, federal agencies are on the clock to patch.
As CISA states in the directive itself, “the directive establishes requirements for federal civilian agencies to remediate known exploited vulnerabilities, thereby reducing the attack surface of the federal enterprise.” The system creates a feedback loop: confirmed exploitation triggers a catalog addition, which triggers a remediation deadline. For organizations outside the federal government, the catalog functions as a free, authoritative signal of which flaws attackers are actually targeting right now. No subscription required, no vendor sales pitch attached.
Why the 24-hour window matters more than the exact percentage
Mandiant’s 28 percent figure comes from the firm’s incident-response engagements and threat telemetry across a broad client base. In its M-Trends reporting, Mandiant noted that “attackers are exploiting new vulnerabilities faster than ever,” with a significant share reaching weaponization within the first day of disclosure. The company has not published a granular, peer-reviewable dataset behind the number, and the precise percentage will vary depending on how “weaponization” is defined. Does it mean a working proof-of-concept exploit posted to GitHub? Active scanning by botnets? A confirmed intrusion at a specific organization? Each definition produces a different count.
But the directional finding is corroborated by other major threat intelligence firms. Rapid7’s annual attack intelligence reports have documented a consistent trend of shrinking time-to-exploitation over the past several years. Palo Alto Networks’ Unit 42 has similarly reported that attackers begin scanning for newly disclosed flaws within hours, not days. The consensus across the industry is clear even if the exact figures differ by methodology: a meaningful share of new vulnerabilities are exploited before most organizations can respond.
Recent incidents reinforce the pattern. The MOVEit Transfer vulnerability (CVE-2023-34362) was exploited by the Cl0p ransomware group on a timeline so compressed that hundreds of organizations were compromised before the flaw was widely understood. Citrix Bleed (CVE-2023-4966) followed a similar arc, with mass exploitation beginning shortly after disclosure and affecting targets ranging from Boeing to major law firms. In each case, the attackers moved faster than the patch cycle.
What defenders can actually do about it
If exploitation can begin within hours, monthly or even weekly patch cycles leave a gap that policy alone cannot close. Security teams that want to keep pace need to change how they prioritize and how fast they act.
The most immediate step is automating the ingestion of CISA’s KEV catalog into existing vulnerability management tools. The catalog is available as structured data (JSON and CSV), which means it can feed directly into scanning platforms, ticketing systems, and alerting workflows. When a new entry appears, the system flags it as a same-day priority rather than waiting for a human to notice during a routine review.
Beyond automation, organizations should treat KEV additions as justification for emergency maintenance windows. One of the persistent obstacles to rapid patching is organizational resistance: business units push back on unscheduled downtime, and change-advisory boards want days of lead time. A vulnerability’s presence in the KEV catalog provides external, government-backed validation that attackers are actively exploiting it. That makes the case for immediate action far easier to win internally.
For vulnerabilities not yet in the catalog but carrying high severity scores, teams can layer temporary mitigations, such as network segmentation, disabling vulnerable features, or tightening access controls, while waiting for a full patch deployment. The goal is to shrink the exposure window even when a same-day patch is not operationally feasible.
The race is structural, not temporary
Nothing in the available data suggests that exploitation timelines will slow down. Attackers have industrialized the process of scanning for and exploiting new flaws, using automation, shared toolkits, and underground markets for fresh exploits. Defenders, meanwhile, still operate within change-management frameworks designed for a slower threat environment.
The federal government has acknowledged this mismatch by building a system, the directive plus the KEV catalog, that any organization can adopt. The tools are public. The data is free. The question for private-sector security leaders in mid-2026 is whether they will treat that system as a model or continue relying on patch cycles that the threat landscape has already outgrown.
Mandiant’s 28 percent figure may sharpen or shift as more researchers publish their own exploitation-speed data. But the underlying reality it points to is already visible in breach after breach: when hours matter, organizations that still think in weeks are the ones that get hit.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
