In July, Microsoft fixed a flaw in its file sharing service SharePoint that was already being exploited by attackers. Later that month, Microsoft warned that hackers were making use of the zero-day to distribute ransomware, adding even more risk to the serious vulnerability.
The SharePoint flaw is just one example of attackers becoming faster at exploiting vulnerabilities before they can be properly addressed by vendors and patched by organizations.
During the first half of 2025, almost one-third (32.1%) of flaws listed in VulnCheck’s known exploited vulnerabilities catalog were weaponized either before being detected or within 24 hours of disclosure, according to the vulnerability intelligence provider’s latest report. This represents an 8.5% increase from 23.6% in 2024.
Meanwhile, there has been a 34% increase in attackers exploiting vulnerabilities to gain initial access and cause security breaches over the last year, according to the Verizon 2025 Data Breach Investigations report.
A shortened response window
There is now a shortened window between the time new vulnerabilities are discovered and when they are leveraged in attacks, says Stephen Fewer, senior principal researcher at Rapid7.
Citing the example of the SharePoint flaw, he tells ITPro that organizations are now left with “little to no gap” to patch their infrastructure, which “puts considerable strain on already stretched security resources”.
Adding to the issue, the shrinking window means it’s less likely that older, already-known vulnerabilities will be prioritized, says Fewer. “Attackers at large are still using these vulnerabilities and established techniques to compromise organizations, because many firms remain slow at patching their infrastructure.”
For example, the in-the-wild exploitation of SonicWall SSLVPN firewall appliances at the start of August was first thought to be due to a zero-day vulnerability, says Fewer. However, upon further investigation by the vendor, it was revealed that adversaries were exploiting a known flaw from 2024, tracked as CVE-2024-40766.
More flaws discovered, faster weaponization
While vulnerabilities are being weaponized extremely quickly, security researchers are also reporting them at rapid speed. This is down to growing skill in the area, as well as increasing automation in exploit development, says Andy Swift, cyber security assurance technical director at Six Degrees.
When preparing to exploit issues in software, attackers usually follow a simple process, explains Michael Tigges, senior hunt and response analyst at Huntress. This sees them scan the internet for exposed systems, try automated exploits, and confirm success by checking whether the system responds to adversary-controlled services or installs malware.
For example, when targeting CVE-2025-30406, a flaw in Gladinet/Triofox storage services, attackers were seen generating requests to out-of-band application security testing services, confirming code execution, says Tigges.
Patch velocity
Amid this hostile environment, patch velocity – the speed at which cybersecurity teams deploy fixes to vulnerabilities – varies widely, says Tom Lovell, infrastructure and modern workplace principal consultant at Infinity Group. “While some firms have mature vulnerability management programs that deploy critical patches within 24 to 72 hours, many struggle to meet even monthly cycles.”
Factors include resource constraints, fear of downtime and lack of automation, he says. “Even in well-resourced environments, patching third-party software or embedded systems can be slow.”
Adding to this is the fact that most firms are dealing with more complex and interconnected infrastructure. “This brings with it a huge range of dependencies, to the extent where we now have a growing problem of systems-of-systems which could include cloud, internet of things (IoT), shared authentication and supply chain dependencies,” Swift says. “These complexities all need to be considered and can add huge amounts of time to a situation where urgent patching is required.”
IT teams also face issues with compatibility and various operational constraints, says Swift. “If a patch means downtime, it can sometimes be a bitter pill to swallow among mounting pressures to keep operations running.”
Swift says he has seen a number of instances of fully patched systems showing signs of active malicious activity relating to a threat they had allegedly been patched against. “It turned out the systems were attacked during a window when the host was unpatched. Due to a rather lax approach to patching, the door was only closed several weeks later. Even then, with the patch applied, the methods of persistence were retained for the attacker to come back and make use of.”
Vulnerability management: what companies can do
The speed at which adversaries are exploiting flaws is concerning, but there are some steps firms can take to counter the issue.
Identifying any obvious weaknesses is a crucial first step. In the majority of cases where companies are attacked, there is “a lot of unnecessary exposure going on”, says Swift.
He says organizations need to shift to being more proactive, thinking about what actually needs access to a given host. “Can we limit access to a known IP or subset of known good addresses? Do only certain clients need access? Can we limit access to specific countries?”
The exploitation of many CVEs can be slowed down by limiting internet exposure of critical applications and management interfaces, agrees Fewer. “This means paying particular attention to network edge appliances such as VPNs and firewalls, and ensuring that management and administrative interfaces are never exposed to the public internet.”
Organizations should prioritize to remain resilient, with a “patch ASAP” culture for critical vulnerabilities, says Jeff Watkins, CTO at CreateFuture. “Leaving systems unpatched means you are expecting an exploit from a security point of view, you just won’t know when.”
Effective vulnerability management is about prioritization, concurs Tigges. Organizations should regularly scan for flaws, but focus first on those actively being exploited in the wild or those affecting critical systems, he advises.
Public resources such as the CISA's Known Exploited Vulnerabilities (KEV) catalog are a useful tool. But not every vulnerability can be patched right away, he points out. With this in mind, measures such as network segmentation, backup controls, and endpoint detection and response will help to reduce risk until updates are applied, Tigges advises.
Technology can help but, as attackers continue to weaponize software flaws, protecting your business comes down to a timely and prioritized patching processes. Having a clearly defined, regular patch cycle that prioritizes actively and widely-exploited CVEs is “essential”, says Fewer. “Without the basics of good vulnerability and patch management in place, time spent on emergency responses to zero-day exploitation or advanced persistent threats will be less effective.”
-
How the AWS outage unfolded, who it impacted, and what it might costNews Apps and websites impacted by the AWS outage have recovered after a highly disruptive start to the week
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
