Updated

Project patchwindow
vulnerability exploitation analysis

Analysis of every CVE in the CISA Known Exploited Vulnerabilities catalog from 2019 onwards, with enriched disclosure, first exploitation, and first publicly reported exploitation dates. Enables like-for-like comparison of vulnerability exploitation across years, so you know what’s changed, and what to prepare for moving forward.

Trends

Seven vulnerability exploitation insights

Full snapshot tables →

Mean time-to-exploit excl zero-days: Dec 31 (2026 is predictive)

Time between vulnerability disclosure and exploitation (excludes zero-days), as of December 31st each year

Key insight: the patch window is not collapsing and 2026 mean TTE is on track to be slightly below the historic average

Mean time-to-exploit incl zero-days: Dec 31 (2026 is predictive)

Time between vulnerability disclosure and exploitation (includes zero-days), as of December 31st each year

Key insight: when you include zero-days and negative TTE, 2026 is trending to have a mean TTE 10% greater than the historic average

Zero-day rate: CVE publication year

Percentage of vulnerabilities exploited before CVE publication date, as of Jun 30th each year

Key insight: the zero-day rate for 2026 is slightly below the average when compared to previous years

Mean time-to-exploit: Jun 30 (zero-days and negative TTE included)

Time between vulnerability disclosure and exploitation including zero-days and pre-disclosure exploitations (counted as negative values), as of Jun 30th each year

Key insight: When including zero-days and negative TTE, 2026 has a less negative mean TTE than the historic average.

CVEs exploited: Jun 30

Number of in-scope CVEs that had been both disclosed and exploited by Jun 30th each year

Key insight: total vulnerabilities exploited has increased in 2025 and 2026, however the % of overall vulns exploited is at an all-time low below 0.3%

Top vendors in KEV, zero-day breakdown

Twelve vendors with the most KEV-listed CVEs, split by zero-day vs. non-zero-day

Key insight: most exploited vendors are dominated by widely distributed providers of operating systems, browsers, and edge devices

Mean time-to-exploit: Elapsed

The elapsed mean TTE across all years does not provide a like-to-like comparison between years, and severely biases recent years’ mean TTE downwards due to shorter overall elapsed times

Key insight: a common graph used to falsely claim the mean TTE has collapsed