Risks and Exploitation Gaps in Vulnerability Disclosure and Management
Security teams face significant risk due to delays and gaps in the vulnerability disclosure process, with critical information about new vulnerabilities often taking days or weeks to reach widely used databases like the National Vulnerabilities Database (NVD). During this window, attackers can exploit vulnerabilities before defenders are even aware of their existence, especially when proof-of-concept exploits are published rapidly. The lack of early visibility and the time lag between CVE assignment, public advisories, and NVD publication create blind spots that can be leveraged by threat actors, underscoring the need for improved vulnerability management workflows and faster dissemination of actionable intelligence.
Traditional vulnerability management approaches, which rely heavily on scanner outputs and CVSS scores, often fail to prioritize the most exploitable weaknesses, leading to wasted effort on non-critical issues while missing attack paths that could result in severe compromise. Integrating exploitability validation and business context—such as through autonomous pentesting and continuous verification—enables organizations to focus remediation on vulnerabilities that present real, environment-specific risk. This shift from triage to targeted action is essential for closing attack paths and reducing the window of exposure created by disclosure gaps.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Tenable says it updates vulnerability coverage within 12–24 hours
Tenable stated that it monitors vendor advisories directly and updates its own vulnerability coverage within 12 to 24 hours of disclosure. The company positioned this as a faster alternative to waiting for NVD publication.
Tenable reports median time to active exploitation is five days
According to Tenable's analysis, the median time from disclosure to active exploitation can be as little as five days, and more than half of public PoCs are published within seven days. The findings underscore that exploitability signals often emerge before many defenders see NVD coverage.
Tenable highlights average 15-day lag before CVEs appear in NVD
Tenable said there is an average 15-day delay between initial vulnerability disclosure and publication in the National Vulnerabilities Database, creating a gap in defender visibility. The company warned that organizations relying primarily on NVD may miss early exploitation activity.
Horizon3.ai publishes blog on exploitability data in agentic security
Horizon3.ai published a blog post arguing that exploitability data can improve agentic security workflows beyond basic vulnerability triage. The reference is conceptual and does not describe a discrete external incident or operational event.
63,862 CVEs disclosed during Jan. 2024–Sep. 2025 study period
Tenable reported that 63,862 CVEs were disclosed between 2024-01-01 and 2025-09-30 as part of its analysis of vulnerability disclosure and exploitability trends. The study found that only 2.6% had a public proof-of-concept and 0.5% had documented evidence of active exploitation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Debate and Practices in Vulnerability Management and Disclosure
Vulnerability management and responsible disclosure remain central challenges for cybersecurity professionals, with ongoing debates about best practices and the impact of industry processes. One perspective emphasizes the complexity of establishing effective vulnerability management programs, highlighting the need for clear requirements, scoping, target setting, and continuous improvement. Organizations are encouraged to define what they aim to achieve with vulnerability management, set measurable targets, and establish metrics and reporting mechanisms to track progress. The process also involves determining necessary roles, responsibilities, and tools, as well as implementing training and awareness programs to ensure all stakeholders are prepared to respond to vulnerabilities. Continuous improvement is stressed as essential, with organizations advised to start with pragmatic steps and evolve their programs over time. On the disclosure side, the industry recently faced a potential crisis when MITRE, the steward of the CVE catalog, nearly lost U.S. government funding, which could have disrupted the assignment of new vulnerability IDs and slowed global coordination. The last-minute extension of MITRE’s contract by CISA averted this disruption, underscoring the critical role of coordinated vulnerability disclosure. The debate over how vulnerabilities should be disclosed remains contentious, with some advocating for immediate public disclosure to force vendor action, while others warn that this can expose customers to risk before patches are available. The PrintNightmare incident is cited as an example where early disclosure led to widespread emergency mitigations. The lack of global laws governing responsible disclosure means that ethics, customer safety, and reputational risk drive industry behavior. Organizations must balance transparency with the need to protect users from exploitation, and the methods chosen for disclosure can have significant financial, operational, and reputational consequences. Both the management of vulnerabilities within organizations and the broader ecosystem of disclosure practices are evolving, with ongoing discussions about how to best protect customers and maintain trust. The interplay between internal vulnerability management processes and external disclosure frameworks highlights the complexity of the cybersecurity landscape. As new threats emerge and the industry adapts, organizations must remain vigilant in both managing vulnerabilities and participating in responsible disclosure. The recent funding scare with MITRE serves as a reminder of the fragility of the systems that underpin global vulnerability coordination. Ultimately, effective vulnerability management and responsible disclosure are interdependent, requiring collaboration, clear processes, and a commitment to continuous improvement.
Mar 21, 2026
Modern Approaches to Vulnerability and Exposure Management
Organizations are facing an overwhelming volume of software vulnerabilities, with over 40,000 new CVEs published in 2024 alone, making traditional vulnerability management approaches unsustainable. This has led to a shift toward exposure management, which focuses on reducing the active attack surface rather than simply closing vulnerability tickets. Exposure management platforms, such as Spektion, employ advanced techniques like behavioral monitoring and pre-CVE detection to identify and prioritize risks based on real-world exploitability, including the discovery of shadow IT and actively loaded vulnerabilities. To support effective prioritization, the Common Vulnerability Scoring System (CVSS) provides a standardized framework for assessing and communicating the severity of vulnerabilities. The latest version, CVSS v4.0, introduces expanded metric groups and more granular scoring, enabling organizations to better compare vulnerabilities, prioritize mitigation efforts, and communicate risk to stakeholders. Together, these developments in exposure management platforms and vulnerability scoring systems are helping security teams move beyond the "CVE treadmill" and focus resources on the most critical threats.
Mar 21, 2026
Vulnerability Prioritization Shifts Toward Known-Exploited Risk and Centralized Scanning
Security teams are increasingly de-emphasizing *CVSS-only* approaches in favor of prioritizing **known exploited vulnerabilities (KEV)**, driven by evidence that only a small fraction of disclosed CVEs are exploited in the wild. Reporting citing VulnCheck research highlighted that roughly **1% of 40,000+** vulnerabilities disclosed in the prior year saw in-the-wild exploitation, with **network edge devices** disproportionately targeted (reported as **28%** of KEV-impacted products) and recurring exposure across major enterprise stacks including **Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet**. The same research pointed to high-profile exploitation waves such as **SharePoint zero-days** impacting **400+ organizations** and rapid weaponization dynamics like **React2Shell**, which reportedly accumulated **236 public exploits** within a month. In the UK public sector, the Department for Science, Innovation and Technology (DSIT) reported operational improvements from a centralized **Vulnerability Monitoring Service** that continuously scans internet-facing systems across roughly **6,000 organizations** and drives remediation of about **400 confirmed vulnerabilities per month**. DSIT said median remediation time for critical domain-related weaknesses fell to **eight days** (from ~50), other vulnerabilities to **32 days** (from 53), and the backlog of unresolved critical flaws dropped by about **three-quarters**—positioning automated discovery and faster patch cycles as a practical response to long-standing government security shortfalls, even as officials did not quantify exploitation rates or overall compromise trends.
Mar 26, 2026