Shrinking n-day exploitation window across disclosed flaws
Target Trend
Summary
Hide ▲
Show ▼
A five-year collapse in the time to exploit is giving defenders far less time to patch disclosed-but-unpatched vulnerabilities before attackers move in. Measured TTE fell from 745 days in 2020 to 44 days last year, and n-days now account for over 80% of the CVEs tracked in KEV/VulnDB. The shift matters because public PoC code plus internet-wide scanning can turn disclosure into mass exploitation within hours.
Related Happenings
CISA KEV remediation lag is widening as exploit timelines shrink
Target Trend
First: 10.04.2026 17:01
Last: 10.04.2026 17:01
Sources 1
About this happening:
**CISA KEV** remediation lag is widening across **10,000 organizations**, leaving enterprise exposures open longer than attackers need to weaponize them. Critical vulnerabilities...
CISA KEV remediation lag is widening as exploit timelines shrink
Target TrendAbout this happening: **CISA KEV** remediation lag is widening across **10,000 organizations**, leaving enterprise exposures open longer than attackers need to weaponize them. Critical vulnerabilities...
Rising zero-day exploitation across end-user and enterprise products in 2025
Target Trend
First: 05.03.2026 17:03
Last: 05.03.2026 17:03
Sources 1
About this happening:
**Zero-day exploitation** stayed elevated in **2025**, with **90 actively exploited flaws** spread across **end-user platforms** and **enterprise products**. That matters because...
Rising zero-day exploitation across end-user and enterprise products in 2025
Target TrendAbout this happening: **Zero-day exploitation** stayed elevated in **2025**, with **90 actively exploited flaws** spread across **end-user platforms** and **enterprise products**. That matters because...
Ivanti Connect Secure zero-day exploitation (CVE-2025-0282)
Vulnerability
First: 27.02.2026 17:57
Last: 27.02.2026 17:57
Sources 1
About this happening:
**CVE-2025-0282** in **Ivanti Connect Secure** was exploited as a **zero-day** starting in **mid-December 2024**, creating a breach path for affected appliances. The exploitation...
Ivanti Connect Secure zero-day exploitation (CVE-2025-0282)
VulnerabilityAbout this happening: **CVE-2025-0282** in **Ivanti Connect Secure** was exploited as a **zero-day** starting in **mid-December 2024**, creating a breach path for affected appliances. The exploitation...
Ivanti EPMM exploitation wave (CVE-2026-1281)
Exploitation Wave
First: 12.02.2026 09:32
Last: 12.02.2026 09:32
Sources 1
How related:
Just this week, it emerged that a likely nation-state actor had exploited two critical zero-day bugs in Ivanti Endpoint Manager Mobile (EPMM) to compromise several government agencies.
About this happening:
**Ivanti Endpoint Manager Mobile (EPMM)** is facing an **active exploitation wave** against **CVE-2026-1281** and **CVE-2026-1340**, creating immediate risk for internet-facing ma...
Ivanti EPMM exploitation wave (CVE-2026-1281)
Exploitation WaveHow related: Just this week, it emerged that a likely nation-state actor had exploited two critical zero-day bugs in Ivanti Endpoint Manager Mobile (EPMM) to compromise several government agencies.
About this happening: **Ivanti Endpoint Manager Mobile (EPMM)** is facing an **active exploitation wave** against **CVE-2026-1281** and **CVE-2026-1340**, creating immediate risk for internet-facing ma...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation Wave
First: 09.02.2026 16:42
Last: 09.02.2026 16:42
Sources 1
About this happening:
**SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation WaveAbout this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
Latest development: 10.03.2026 08:17
CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.
Timeline
-
12.02.2026 11:30 2 articles · 3mo ago
Flashpoint reports shrinking n-day exploitation window
Technical Analysis UpdateFlashpoint reports that time to exploit (TTE) for publicly disclosed but unpatched vulnerabilities fell from 745 days in 2020 to 44 days last year, a 94% drop that leaves security and IT teams far less time to patch. The study says n-day flaws now represent over 80% of the CVEs tracked in KEV/VulnDB, notes 52 zero-day and 37 n-day attacks against security and perimeter software in 2025, and warns that researcher-published PoC code plus tools like Shodan or FOFA can turn disclosure into mass exploitation in hours. The report also cites a likely nation-state compromise of Ivanti Endpoint Manager Mobile (EPMM) that affected several government agencies and highlights asset-visibility gaps plus missing CVE coverage as major blind spots.
Show sources
- Time to Exploit Plummets as N-Day Flaws Dominate — www.infosecurity-magazine.com — 12.02.2026 11:30
- Time to Exploit Plummets as N-Day Flaws Dominate — www.infosecurity-magazine.com — 12.02.2026 11:30