Qualys warns attackers exploit flaws before disclosure

Qualys has published research on vulnerability remediation and exploitation trends. The study examined more than 1 billion known exploited vulnerability records across more than 10,000 organisations over four years.

The findings point to a widening gap between the pace of exploitation and the speed at which security teams can patch systems. The report says the average time to exploit fell to minus one day, indicating that attackers are now exploiting some vulnerabilities before public disclosure.

Closed vulnerability events rose sharply over the period reviewed, increasing 6.5-fold from 73 million in 2022 to 473 million in 2025. This suggests remediation workloads are growing faster than many teams can manage through manual processes.

At the same time, the proportion of critical vulnerabilities left open after a week worsened. In 2025, 63% of critical flaws were still unresolved at Day 7, up from 56% in 2022, despite security teams processing more remediation tickets.

Exposure window

The research argues that the standard metric of mean time to remediate no longer reflects the true period of business risk, because exploitation can begin before disclosure. In its place, Qualys introduced what it calls Average Window of Exposure, a measure that tracks the period from exploitation to remediation.

Using that model, Qualys found that 85% of vulnerable assets remained unpatched at the point of disclosure. It also found that 33% were still open after 21 days and 12% remained exposed after 90 days.

The report also highlighted a concentration of risk among a small subset of vulnerabilities. Of the 48,172 vulnerabilities disclosed in 2025, Qualys identified 357, or 0.74%, as both remotely exploitable and actively weaponised.

The finding adds to a longstanding cyber security debate over how companies should prioritise patching. Rather than treating all newly disclosed flaws as equally urgent, the research suggests organisations should focus more tightly on vulnerabilities already being used in attacks.

Zero-day trend

Among 52 actively weaponised vulnerabilities analysed in the study, half were exploited before public disclosure. One Windows kernel vulnerability in the dataset had been exploited 182 days before disclosure.

The figures underline the pressure on defenders, who must decide what to patch first while managing a growing backlog. Manual remediation workflows can stretch average closure times to four to five times beyond the median. The report cites Spring4Shell as one example, with average remediation time reaching 266 days.

Edge devices, including firewalls, VPNs and gateways, were identified as carrying the highest strategic risk per vulnerability. These systems often sit at the network perimeter and are common targets because they can offer direct access into corporate environments.

The study also links faster remediation to greater use of automation and artificial intelligence in validation and prioritisation. According to Qualys, such tools can help security teams distinguish between theoretical exposure and flaws that present an immediate route for attack.

Saeed Abbasi, Head of Threat Research Unit at Qualys, commented on the findings in a public post: "Speed matters and the only way we can combat the speed at which attackers are weaponizing exploits, is by leveraging AI and automation to focus on reducing the risk that truly matters."

The central message of the research is that rising vulnerability volumes, earlier exploitation and slower manual remediation are reshaping how cyber risk is measured. Of the 48,172 vulnerabilities disclosed in 2025, only 357 were found to be remotely exploitable and actively weaponised.