Vulnerability Prioritization Shifts Toward Known-Exploited Risk and Centralized Scanning
Security teams are increasingly de-emphasizing CVSS-only approaches in favor of prioritizing known exploited vulnerabilities (KEV), driven by evidence that only a small fraction of disclosed CVEs are exploited in the wild. Reporting citing VulnCheck research highlighted that roughly 1% of 40,000+ vulnerabilities disclosed in the prior year saw in-the-wild exploitation, with network edge devices disproportionately targeted (reported as 28% of KEV-impacted products) and recurring exposure across major enterprise stacks including Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet. The same research pointed to high-profile exploitation waves such as SharePoint zero-days impacting 400+ organizations and rapid weaponization dynamics like React2Shell, which reportedly accumulated 236 public exploits within a month.
In the UK public sector, the Department for Science, Innovation and Technology (DSIT) reported operational improvements from a centralized Vulnerability Monitoring Service that continuously scans internet-facing systems across roughly 6,000 organizations and drives remediation of about 400 confirmed vulnerabilities per month. DSIT said median remediation time for critical domain-related weaknesses fell to eight days (from ~50), other vulnerabilities to 32 days (from 53), and the backlog of unresolved critical flaws dropped by about three-quarters—positioning automated discovery and faster patch cycles as a practical response to long-standing government security shortfalls, even as officials did not quantify exploitation rates or overall compromise trends.
Timeline
Feb 27, 2026
VulnCheck highlights KEV-based prioritization and edge-device targeting
VulnCheck reported that vulnerability prioritization remains difficult because only a small share of disclosed flaws are exploited in the wild, arguing that defenders should focus more on known exploited vulnerabilities than CVSS alone. The report also found network edge devices accounted for 28% of products affected by KEV, with vendors such as Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet frequently targeted.
Feb 26, 2026
UK reports sharply faster remediation and reduced critical backlog
DSIT said median fix times for critical domain-related weaknesses fell to eight days from about 50 days, while other vulnerabilities dropped to 32 days from 53 days. The government also reported that the backlog of unresolved critical flaws had been reduced by about three-quarters.
Feb 26, 2026
UK deploys central vulnerability scanning across public sector
The UK government deployed the Vulnerability Monitoring Service, an automated central capability that continuously scans internet-facing systems used by public bodies. According to DSIT, the service covers about 6,000 organizations and drives remediation of roughly 400 confirmed vulnerabilities per month.
Jan 1, 2025
Linux kernel CVE surge in 2025 becomes major defender triage challenge
The Linux kernel community's move to act as a CVE Numbering Authority led to a sharp increase in kernel CVEs entering security feeds, and the kernel became the most vulnerable technology by raw CVE count in 2025. The resulting disclosure volume was described as overwhelming defenders and increasing the risk that practically exploitable kernel flaws would be missed.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Record Surge in CVE Disclosures and Microsoft Vulnerabilities in 2025
In 2025, the cybersecurity landscape was marked by an unprecedented surge in vulnerability disclosures, with nearly 49,209 CVEs published—representing a 43% increase over the previous year. Microsoft alone issued mitigations for 1,246 CVEs, including 158 rated as critical, and faced 41 zero-day vulnerabilities. Security experts noted that while the volume of vulnerabilities reached new highs, the real risk stemmed from a small subset that were actively exploited, particularly those affecting Microsoft platforms and edge devices. Attackers increasingly leveraged AI and new tactics to exploit vulnerabilities faster, often timing attacks around Patch Tuesday cycles to maximize impact before organizations could apply updates. The overwhelming number of vulnerabilities forced security teams to rethink their prioritization strategies, as traditional severity ratings like CVSS proved insufficient for predicting exploitation. Instead, models such as the Exploit Prediction Scoring System (EPSS) and asset criticality became essential for identifying which vulnerabilities posed the greatest risk. State-sponsored actors and ransomware groups were responsible for a significant portion of exploitation activity, with remote code execution and privilege escalation flaws being the most targeted. Experts emphasized the need for rapid, risk-based patching and a shift away from patching solely based on severity scores, as attackers focused on speed, exposure, and critical assets rather than the sheer number of vulnerabilities disclosed.
1 months ago
Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both **zero-day** activity and the growing backlog of **known exploited vulnerabilities (KEVs)**. A Talos retrospective counted **48,196 CVEs in 2025** and **241 KEVs** (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting **network edge infrastructure** (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems. Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said **Latin America** is seeing substantially higher weekly attack volume than the US (including higher proportions of **ransomware** and **infostealer** activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the *Coruna* **iOS exploit kit** rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
1 months ago
UK Government Vulnerability Monitoring System Cuts Public-Sector Remediation Times
The UK Department for Science, Innovation and Technology (**DSIT**) reported that its **Vulnerability Monitoring System (VMS)** is significantly reducing remediation times for internet-facing public-sector systems by continuously scanning roughly **6,000** government/public-sector websites and services. VMS uses a mix of commercial and proprietary tooling to check for about **1,000** vulnerability types, with a particular focus on **domain/DNS-related weaknesses** that could be abused by attackers; DSIT said median remediation time for DNS/domain issues fell from about **50 days to 8 days** (an **84%** improvement), while median time to fix other vulnerabilities dropped from **53 days to 32 days**. DSIT also stated the service is clearing a substantial volume of risk, resolving around **400 confirmed vulnerabilities per month** and reducing the backlog of critical open domain-related issues by about **75%**. The program is positioned as part of the government’s *Blueprint for Modern Digital Government* (published January 2025), with Minister for Digital Government **Ian Murray** emphasizing operational impacts of cyberattacks on public services (e.g., NHS disruption) and announcing a related workforce initiative to build a stronger pipeline of cybersecurity talent across DSIT and the UK’s National Cyber Security Centre (**NCSC**).
1 months ago