In late May 2023, a critical flaw in the MOVEit file-transfer platform was publicly disclosed. Within hours, the Cl0p ransomware group had a working exploit and was already stealing data from hundreds of organizations, including federal agencies, universities, and major corporations. That timeline was not an outlier. Across the cybersecurity industry, researchers tracking government-cataloged vulnerabilities say the window between a bug going public and attackers weaponizing it has collapsed to a matter of hours, with recent analyses pegging the average at roughly 10 hours.
For security teams still operating on weekly or monthly patch cycles, the math is brutal: by the time most organizations even review a new advisory, someone may already have built the tool to break in.
Where the 10-hour figure comes from
The statistic draws on cross-referenced analysis of the Known Exploited Vulnerabilities (KEV) catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency. Under Binding Operational Directive 22-01, every federal civilian agency must remediate vulnerabilities listed in the catalog within strict deadlines. Private-sector defenders increasingly treat it as their own priority queue.
CISA adds a vulnerability to the KEV list only after confirming it has been exploited in the wild. The agency also publishes a machine-readable JSON feed containing structured metadata for every entry. Researchers can cross-reference that feed with the National Vulnerability Database, vendor advisories, and public exploit repositories on GitHub to reconstruct how quickly proof-of-concept or weaponized code appeared after disclosure.
Multiple threat-intelligence teams have run this kind of analysis. Palo Alto Networks’ Unit 42, in its 2024 Incident Response Report, found that attackers exploited vulnerabilities within hours of disclosure in a growing share of cases. Fortinet’s 2024 Global Threat Landscape Report, covering the second half of 2023, reported that 43% of newly discovered exploits were used in attacks within the first week, with some high-profile flaws weaponized on the same day they were published. Google’s Mandiant division, in its M-Trends 2025 report, documented a continued acceleration in exploitation timelines across the incidents it investigated.
The 10-hour average circulating in industry discussions synthesizes this body of work rather than citing a single official CISA calculation. It is a useful shorthand for the current pace, but the precise number shifts depending on methodology, sample size, and how each researcher defines the starting clock.
Why the number is hard to pin down
The KEV catalog confirms that exploitation happened. It does not record the exact minute exploit code first appeared. Those timestamps come from secondary sources: security blogs, vendor advisories, or commits to public code repositories. Precision varies. Some analysts start the clock when a CVE identifier is assigned; others begin when a patch or advisory is published. Those two starting points can differ by days, which shifts any resulting average significantly.
Sample selection matters, too. A study examining 50 CVEs in a single product family will yield a different average than one spanning thousands of entries across all vendors. Neither necessarily reflects conditions inside a specific organization’s network.
International coverage is another gap. Equivalent catalogs from the European Union Agency for Cybersecurity (ENISA) and Japan’s JPCERT/CC are rarely integrated into public time-to-exploit studies. The 10-hour figure is largely a reflection of vulnerabilities tracked through U.S.-centric databases and English-language exploit repositories. Exploitation campaigns originating in or targeting other regions may follow different timelines that current research does not capture.
What is driving the acceleration
Several forces are compressing the disclosure-to-exploit window simultaneously, and separating their individual contributions is difficult.
The first is tooling. Open-source vulnerability scanners, automated fuzzing frameworks, and templated exploit kits have lowered the skill barrier for producing working attack code. A moderately skilled attacker with access to a detailed advisory and a fuzzing harness can often reproduce a crash and pivot to code execution faster than the affected vendor can push a patch through QA.
The second is the commercial exploit market. Brokers who purchase zero-day and n-day exploits pay premiums for rapid turnaround, creating financial incentives to move fast. That pressure ripples outward: once a broker’s client uses an exploit, defenders may detect it, and the vulnerability enters public awareness, but the damage is already underway.
The third, and increasingly discussed, factor is artificial intelligence. In 2025, both Google’s Threat Intelligence Group and Microsoft’s threat research teams flagged cases where large language models were used to accelerate vulnerability analysis and exploit prototyping. AI does not yet autonomously discover and weaponize complex bugs at scale, but it can shorten the research phase for a human attacker, trimming hours or days from the process. As these models improve, the 10-hour window could narrow further.
Real-world examples that illustrate the speed
The pattern is visible in several high-profile incidents from recent years:
- Log4Shell (CVE-2021-44228): Exploitation began within hours of the Apache Log4j flaw’s public disclosure in December 2021. Within 48 hours, scanning and attack traffic was global.
- MOVEit Transfer (CVE-2023-34362): The Cl0p group exploited the SQL injection flaw in Progress Software’s file-transfer tool almost immediately after details surfaced, ultimately compromising more than 2,500 organizations.
- Citrix Bleed (CVE-2023-4966): Proof-of-concept code appeared within days of Citrix’s October 2023 advisory. Ransomware groups, including LockBit affiliates, incorporated it into active campaigns shortly after.
- Ivanti Connect Secure (CVE-2024-21887): Mass exploitation followed rapidly after disclosure in January 2024, prompting CISA to issue an emergency directive ordering federal agencies to disconnect affected appliances.
Each of these cases landed in the KEV catalog. Together, they illustrate why the 10-hour average, even if imprecise, captures a real and worsening trend.
What defenders can do right now
The practical response starts with the KEV catalog’s JSON feed. Security operations teams can ingest it into vulnerability management platforms and compare each new entry against their own asset inventories within minutes. For organizations that lack the staff to monitor every new CVE, filtering by the KEV list is a triage method that prioritizes confirmed threats over theoretical ones.
Automated ingestion does not require expensive new software. A basic script that polls the feed, matches entries against an asset database, and fires an alert to the patching team can be built with in-house skills. The goal is to shrink the internal time from “CISA adds an entry” to “the right people know and are acting.”
Beyond the feed, organizations should pre-test emergency patching procedures for critical systems, define clear criteria for when to accept short-term operational disruption in exchange for closing an actively exploited hole, and rehearse those decisions before a crisis forces them. Scheduled maintenance windows are no longer adequate for KEV-listed flaws. Continuous or near-real-time patching for the highest-priority vulnerabilities is becoming a baseline expectation, not a stretch goal.
Why scheduled patch cycles cannot keep pace with confirmed exploits
Whether the true average is 8 hours, 10 hours, or 12 hours matters less than the trajectory. Exploitation is faster, more automated, and more opportunistic than it was even five years ago. Defensive strategies that hinge on a specific number risk overfitting to one dataset and one moment in time.
Some vulnerabilities will be probed within minutes of disclosure. Others may sit unexploited for months or never see meaningful abuse at all. The KEV catalog and its feed are best understood as an evolving early-warning system, not a static benchmark.
Organizations that anchor their priorities to confirmed exploitation data, automate as much of the detection-to-patch pipeline as possible, and treat every new KEV entry as an urgent remediation task will close the gap between disclosure and defense. Those still relying on periodic scan-and-patch cycles are, with each new catalog addition, falling further behind an adversary that needs only one working exploit and a few hours to use it.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
