Average time from vulnerability disclosure to working exploit has dropped from roughly 125 days in early 2025 to under a day by April 2026, across an analysis of approximately 69,000 CVEs. Some vulnerabilities are now exploited before patch advisories are published. The assumptions most patch management processes were built on may no longer hold.

For most of the last two decades, vulnerability management rested on a quiet assumption: between the moment a flaw became public and the moment an attacker could use it at scale, defenders had a usable buffer. Days, often weeks. Enough time to test, stage, and deploy a patch or patches. A lot of process was built on top of that buffer.

The time buffer has been shrinking and the rate of change is worth looking at.

One measure multiple vendors track is “time-to-exploit”, the gap between a vulnerability’s disclosure and the first observed exploitation. Mandiant’s M-Trends reporting and others have charted this falling from years to months to days. One 2026 industry analysis examined roughly 69,000 CVEs and reported the average time from disclosure to a working exploit dropping from about 125 days in early 2025 to under a day by April 2026. Rapid7’s 2026 threat landscape report put it more plainly: what once unfolded over weeks now materializes in days, and sometimes minutes.

By early 2025, research across the sector found that roughly 32% of vulnerabilities were exploited on or before the day they were publicly disclosed. CrowdStrike’s 2026 report documented a 42% increase in zero-days exploited before public disclosure. For high-value targets, the buffer may even go negative with potential exploitation underway even before a patch advisory is even finished.

Key figures across 2025-2026 reporting:

• Average time from CVE disclosure to working exploit: under 1 day by April 2026 (down from ~125 days, early 2025)

• ~32% of vulnerabilities exploited on or before public disclosure day (Early 2025)

• 42% increase in zero-days exploited before public disclosure (CrowdStrike 2026)

• Working exploits for some disclosed CVEs: ~10-15 minutes to generate, ~$1 per attempt (Cloud Security Alliance)

The figures vary by methodology and source. One outlet noted Flashpoint reporting an average time-to-exploit of 44 days in 2025 while another tracker reported 5. The dispersion is large and it’s probably safe to say that citing a single figure could be illustrative rather than definitive. But the direction across sources is consistent and that consistency may be the more important signal.

What’s actually driving the compression?

The question I keep returning to is whether this is a faster version of the old problem or a completely different problem. A few things keep popping up. AI-assisted reconnaissance changes the scale and targeting of discovery. Automated exploit generation changes who can produce working code.

The Cloud Security Alliance’s analysis estimates that working exploits for some disclosed CVEs can be generated in 10 to 15 minutes for around $1 per attempt. And agentic execution frameworks change whether a human needs to be in the loop at all. Reporting on a 2025 espionage campaign described attackers chaining research, exploit code, credential harvesting, and exfiltration with limited human oversight.

CERT-EU has noted that well-resourced state actors have operated at this tempo for a long time. Their framing is that AI does not invent the capability so much as widen the set of actors who can credibly operate at that speed. Whether that distinction matters to an organization’s threat model is an open question.

CISA BOD 26-04

CISA Binding Operational Directive 26-04 (June 10, 2026) replaces flat calendar-based remediation deadlines with a four-factor risk matrix: asset exposure, Known Exploited Vulnerability (KEV) catalog status, exploit automation potential, and post-exploitation impact. The highest-risk combination carries a three-day remediation window plus forensic triage. The directive explicitly names AI-accelerated exploitation as part of its rationale.

This time compression has started to show up in policy, which makes it concrete in a way that threat reports don’t. On June 10, 2026, CISA issued Binding Operational Directive 26-04, replacing flat calendar-based remediation deadlines with a four-factor risk matrix: asset exposure, KEV status, exploit automation potential, and post-exploitation impact. The highest-risk combination carries a three-day remediation window plus forensic triage. The directive explicitly names AI-accelerated exploitation as part of its rationale.

What’s notable is not the deadline but the implied model. The framework treats “can an adversary automate this” as a prioritization variable and it allows the lowest risk vulnerabilities to be deferred to the next system upgrade. In one large agency’s initial analysis, only about 1% of vulnerability instances landed in the three-day tier while more than 60% were deferred. That’s a meaningful reframing of what “patch management” refers to, from a uniform queue to a triage decision.

Open Questions for Security Practitioners

A few questions seem worth discussing openly.

If exploitation increasingly precedes patch availability, what does “remediation” mean as a concept? For example, Suzu Labs, argues the center of gravity shifts from prevention-timing toward detection and response. Is that the right thinking or does it underestimate what exposure reduction can still do?

How much of this is a tooling problem versus a process problem? Several practitioners quoted on the CISA directive made the point that organizations already hitting 14-day windows, reliably, will likely hit 3-day windows and those missing the 14-day windows will miss the 3-day windows by the same margin.

And finally, if patch-cycle assumptions are being revised in real time by both attackers and net managers and defenders, what’s the right way to revisit the strategy that was written against the old tempo? The annual or multi-year refresh cycle is itself a human-speed artifact.