The Math No Longer Works

With 131 new CVEs disclosed every day and the median time to exploit now under 5 days, the traditional patch Tuesday model is formally dead. The numbers reveal a system in crisis: attacks targeting website vulnerabilities reached 6.29 billion in 2025, up from 4 billion in 2024, a 56% year-over-year increase.

Worse, 32.1% of exploited vulnerabilities were abused on or before the CVE disclosure date, effectively making them zero-day attacks—meaning disclosure offers no protection window at all.

The Velocity Problem: Q1 2026 as a Case Study

This quarter has exposed the collapse. Google has patched a total of four actively weaponized Chrome zero-days since the start of the year, with CVE-2026-5281 added to CISA's Known Exploited Vulnerabilities catalog on April 1, 2026, requiring Federal Civilian Executive Branch agencies to apply fixes by April 15, 2026—a 14-day mandate that presumes capability most organizations lack.

Microsoft's monthly Patch Tuesdays have become industrial-scale. Microsoft's March 2026 security updates include 83 new CVE fixes affecting various products, including Windows Server core services and Azure IoT Explorer. Yet none of the vulnerabilities have been exploited for attacks in the wild, creating a false sense of urgency for patches that may never matter.

Meanwhile, critical flaws slip through the noise. CVE-2026-26144, a Critical information disclosure vulnerability in Microsoft Excel that can cause Copilot Agent mode to silently exfiltrate data with no user interaction required, deserves immediate priority but competes for resources with 82 other patches.

The Threat Landscape Shifted: Commercial Surveillance Now Leads

The actor profile has transformed in ways most security teams haven't fully internalized. Commercial surveillance vendors were involved in more than one-third of zero-day attacks, surpassing state-sponsored espionage groups for the first time. Out of 42 unique zero-days attributed to specific actors, surveillance vendors were involved in 15, while state-linked groups were involved in 12.

Zero-day exploitation hit 90 confirmed cases in 2025, up 15% from the prior year, with nearly half of all attacks targeting enterprise infrastructure. Critically, half of enterprise-targeted zero-days focused on networking and security software, highlighting attackers' shift toward critical business infrastructure.

This matters because surveillance vendors operate at commercial scale. These vendors are primary drivers of the zero-day market, often offering turn-key solutions for the entire attack life cycle. These vendors develop what is commonly known as spyware and focus largely on exploiting mobile devices and web browsers.

Enterprise Infrastructure Under Siege

Organizations can no longer assume they have time. Compromise-to-exfiltration can unfold in hours rather than days, with first-quartile outcomes under five hours and a meaningful subset under one hour. This 5-hour window makes even emergency patches inadequate.

Operating systems were the most exploited product category, accounting for 44% of all zero-day vulnerabilities, while browsers represented less than 10%. Yet edge devices like firewalls, VPNs, and routers are especially targeted because they provide privileged network access with minimal detection coverage.

The specific vulnerability patterns are telling. CVE-2026-24289 and CVE-2026-26132 are two use-after-free Windows Kernel flaws. CVE-2026-23668 is a race condition in the Windows Graphics Component—privilege escalation bugs that give attackers SYSTEM-level access with no user interaction required.

The Veeam Warning: Enterprise Backup is a Target

Enterprise backup and disaster recovery, supposed to be a final line of defense, has become a primary target. Veeam released security updates to address multiple critical vulnerabilities in its Backup & Replication software that could result in remote code execution. CVE-2026-21666 and CVE-2026-21667 are vulnerabilities that allow an authenticated domain user to perform remote code execution on the Backup Server.

Once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments. This creates a secondary exploitation window that lasts weeks or months at scale.

Why Virtual Patching Is Now the Baseline

The patch cycle has become a compliance theater. Virtual patching, applying a protection rule at the WAF layer while development cycles catch up is the most practical way to close that window without slowing down release velocity. The 5-day median time to exploit means the patch cycle is no longer the primary defense. Virtual patching at the WAF layer buying time while development cycles catch up is now a standard part of a mature vulnerability response program.

However, virtual patching only works for known vulnerabilities. For today's security leaders, the challenge is no longer simply patching vulnerabilities. The strategic challenge is anticipating how adversaries weaponize unknown flaws across complex enterprise ecosystems that span cloud infrastructure, identity platforms, AI systems, and mobile devices.

The AI-Native Vulnerability Blind Spot

The patch crisis is being complicated by a entirely new attack surface. Organizations are rapidly deploying AI copilots, workflow assistants, and autonomous software agents across collaboration platforms, CRM systems, and developer environments. These systems introduce entirely new attack surfaces.

Researchers are observing prompt injection attacks that require no user interaction. In these scenarios, an AI agent may ingest malicious content from sources such as emails or documents. The model interprets the hidden instructions and autonomously executes actions such as data extraction or API requests.

Excel's new Copilot integration exemplifies the risk. An attacker who successfully exploits CVE-2026-26144 could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack where sensitive data could be silently leaked without any user interaction beyond having Copilot enabled.

What Enterprises Must Do Now

The traditional CVSS-score-based prioritization is dead. Six of the vulnerabilities patched are considered "more likely" to be exploited, and they can all be used by attackers to elevate their privileges (either to SYSTEM or admin) on targeted systems—but these must be identified through threat intelligence, not score alone.

Cybersecurity teams should employ firewalls to enable inherent segmentation and least privilege access controls to thwart more of these attacks. Additionally, they should also invest in observability and monitoring tools to discover breaches that at this point are all but inevitable, the report notes. Cybersecurity teams should also maintain a software bill of materials (SBOM) that in the event of an attack will make it easier to identify which of their software libraries might be affected.

But the deeper truth is systemic. Endpoint hygiene, rapid patch orchestration and realistic browser and mobile exploitation scenarios in red teaming are now central operational issues rather than best practice talking points.

The Bottom Line: Containment Over Prevention

The patch paradox has forced a fundamental shift in security philosophy. The future of cybersecurity will be defined not by whether organizations encounter zero-day exploits, but by how quickly they detect and contain them. The organizations that succeed in this environment will be those that assume zero-day risk exists and design systems capable of containing it before it escalates into systemic compromise.

With 90 zero-days exploited in 2025 alone, and surveillance vendors now outpacing nation-states, the era of "prevent all breaches through patching" is over. The question is no longer whether you'll face an unpatched zero-day. The question is whether you can detect and isolate it before it costs you millions.