Industry-wide escalation in deployment of known-vulnerable code amid AI-driven exploitation acceleration
Summary
Hide ▲
Show ▼
Three-quarters of organizations admit to frequently shipping code with known vulnerabilities, according to new data from Checkmarx published May 21, 2026. The average time from public disclosure to exploitation has collapsed from 840 days in 2018 to under two days in 2026, with Checkmarx researchers projecting a one-minute exploitation window by 2028. Vulnerability exploitation now accounts for 31% of initial access vectors in breaches, up from 20% in the previous year, per Verizon’s 2026 DBIR. Rising adversary adoption of AI tools is cited as a key driver of the trend, with median threat actors leveraging AI in up to 15 documented techniques and some using AI in 40–50 techniques.
Timeline
-
21.05.2026 16:00 1 articles · 1h ago
Exploitation acceleration and supply chain risk escalation documented in mid-2026 studies
Checkmarx reports 75% of organizations continue to ship known-vulnerable code, while Verizon’s DBIR shows vulnerability exploitation rising to 31% of initial access vectors. QBE survey finds 75% of UK businesses concerned about AI in supply chains, with 22% attributing attacks to suppliers and low adoption of AI governance policies and third-party assessments.
Show sources
- Three-Quarters of Firms Knowingly Ship Vulnerable Code — www.infosecurity-magazine.com — 21.05.2026 16:00
Information Snippets
-
Checkmarx reports that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% in 2025.
First reported: 21.05.2026 16:001 source, 1 articleShow sources
- Three-Quarters of Firms Knowingly Ship Vulnerable Code — www.infosecurity-magazine.com — 21.05.2026 16:00
-
Checkmarx Zero team estimates mean time-to-exploit has decreased from 840 days in 2018 to under two days in 2026, with a projected one-minute window by 2028.
First reported: 21.05.2026 16:001 source, 1 articleShow sources
- Three-Quarters of Firms Knowingly Ship Vulnerable Code — www.infosecurity-magazine.com — 21.05.2026 16:00
-
Verizon’s 2026 Data Breach Investigations Report attributes 31% of initial access vectors to vulnerability exploitation, up from 20% in the prior year.
First reported: 21.05.2026 16:001 source, 1 articleShow sources
- Three-Quarters of Firms Knowingly Ship Vulnerable Code — www.infosecurity-magazine.com — 21.05.2026 16:00
-
Verizon notes median threat actors used AI assistance in up to 15 techniques, with some actors leveraging AI in 40–50 documented techniques.
First reported: 21.05.2026 16:001 source, 1 articleShow sources
- Three-Quarters of Firms Knowingly Ship Vulnerable Code — www.infosecurity-magazine.com — 21.05.2026 16:00
-
QBE survey indicates 75% of UK businesses are concerned about AI use in supply chains, with 22% reporting that all or most attacks involved a supplier in the past 12 months.
First reported: 21.05.2026 16:001 source, 1 articleShow sources
- Three-Quarters of Firms Knowingly Ship Vulnerable Code — www.infosecurity-magazine.com — 21.05.2026 16:00
-
Only 28% of AI-using businesses have assessed or audited third-party suppliers’ AI systems, and 35% have a formal AI usage or governance policy, according to QBE.
First reported: 21.05.2026 16:001 source, 1 articleShow sources
- Three-Quarters of Firms Knowingly Ship Vulnerable Code — www.infosecurity-magazine.com — 21.05.2026 16:00