Vulnerability Prioritization Shifts Toward Known-Exploited Risk and Centralized Scanning
Security teams are increasingly de-emphasizing CVSS-only approaches in favor of prioritizing known exploited vulnerabilities (KEV), driven by evidence that only a small fraction of disclosed CVEs are exploited in the wild. Reporting citing VulnCheck research highlighted that roughly 1% of 40,000+ vulnerabilities disclosed in the prior year saw in-the-wild exploitation, with network edge devices disproportionately targeted (reported as 28% of KEV-impacted products) and recurring exposure across major enterprise stacks including Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet. The same research pointed to high-profile exploitation waves such as SharePoint zero-days impacting 400+ organizations and rapid weaponization dynamics like React2Shell, which reportedly accumulated 236 public exploits within a month.
In the UK public sector, the Department for Science, Innovation and Technology (DSIT) reported operational improvements from a centralized Vulnerability Monitoring Service that continuously scans internet-facing systems across roughly 6,000 organizations and drives remediation of about 400 confirmed vulnerabilities per month. DSIT said median remediation time for critical domain-related weaknesses fell to eight days (from ~50), other vulnerabilities to 32 days (from 53), and the backlog of unresolved critical flaws dropped by about three-quarters—positioning automated discovery and faster patch cycles as a practical response to long-standing government security shortfalls, even as officials did not quantify exploitation rates or overall compromise trends.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
VulnCheck highlights KEV-based prioritization and edge-device targeting
VulnCheck reported that vulnerability prioritization remains difficult because only a small share of disclosed flaws are exploited in the wild, arguing that defenders should focus more on known exploited vulnerabilities than CVSS alone. The report also found network edge devices accounted for 28% of products affected by KEV, with vendors such as Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet frequently targeted.
UK reports sharply faster remediation and reduced critical backlog
DSIT said median fix times for critical domain-related weaknesses fell to eight days from about 50 days, while other vulnerabilities dropped to 32 days from 53 days. The government also reported that the backlog of unresolved critical flaws had been reduced by about three-quarters.
UK deploys central vulnerability scanning across public sector
The UK government deployed the Vulnerability Monitoring Service, an automated central capability that continuously scans internet-facing systems used by public bodies. According to DSIT, the service covers about 6,000 organizations and drives remediation of roughly 400 confirmed vulnerabilities per month.
Linux kernel CVE surge in 2025 becomes major defender triage challenge
The Linux kernel community's move to act as a CVE Numbering Authority led to a sharp increase in kernel CVEs entering security feeds, and the kernel became the most vulnerable technology by raw CVE count in 2025. The resulting disclosure volume was described as overwhelming defenders and increasing the risk that practically exploitable kernel flaws would be missed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Great Patching Lessons To Learn From The Zero Day Clock
blog.knowbe4.com
Open sourceLinux kernel scale is swamping an already-flawed CVE system - The New Stack
thenewstack.io
Open sourceExpert: Vulnerability prioritization is a persistent problem | brief | SC Media
scworld.com
Open sourceAfter years of government cyber trouble, UK turns to automated scanning to speed fixes | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Record Surge in CVE Disclosures and Microsoft Vulnerabilities in 2025
In 2025, the cybersecurity landscape was marked by an unprecedented surge in vulnerability disclosures, with nearly 49,209 CVEs published—representing a 43% increase over the previous year. Microsoft alone issued mitigations for 1,246 CVEs, including 158 rated as critical, and faced 41 zero-day vulnerabilities. Security experts noted that while the volume of vulnerabilities reached new highs, the real risk stemmed from a small subset that were actively exploited, particularly those affecting Microsoft platforms and edge devices. Attackers increasingly leveraged AI and new tactics to exploit vulnerabilities faster, often timing attacks around Patch Tuesday cycles to maximize impact before organizations could apply updates. The overwhelming number of vulnerabilities forced security teams to rethink their prioritization strategies, as traditional severity ratings like CVSS proved insufficient for predicting exploitation. Instead, models such as the Exploit Prediction Scoring System (EPSS) and asset criticality became essential for identifying which vulnerabilities posed the greatest risk. State-sponsored actors and ransomware groups were responsible for a significant portion of exploitation activity, with remote code execution and privilege escalation flaws being the most targeted. Experts emphasized the need for rapid, risk-based patching and a shift away from patching solely based on severity scores, as attackers focused on speed, exposure, and critical assets rather than the sheer number of vulnerabilities disclosed.
Mar 21, 2026
Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both **zero-day** activity and the growing backlog of **known exploited vulnerabilities (KEVs)**. A Talos retrospective counted **48,196 CVEs in 2025** and **241 KEVs** (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting **network edge infrastructure** (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems. Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said **Latin America** is seeing substantially higher weekly attack volume than the US (including higher proportions of **ransomware** and **infostealer** activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the *Coruna* **iOS exploit kit** rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
Mar 21, 2026
UK Government Vulnerability Monitoring System Cuts Public-Sector Remediation Times
The UK Department for Science, Innovation and Technology (**DSIT**) reported that its **Vulnerability Monitoring System (VMS)** is significantly reducing remediation times for internet-facing public-sector systems by continuously scanning roughly **6,000** government/public-sector websites and services. VMS uses a mix of commercial and proprietary tooling to check for about **1,000** vulnerability types, with a particular focus on **domain/DNS-related weaknesses** that could be abused by attackers; DSIT said median remediation time for DNS/domain issues fell from about **50 days to 8 days** (an **84%** improvement), while median time to fix other vulnerabilities dropped from **53 days to 32 days**. DSIT also stated the service is clearing a substantial volume of risk, resolving around **400 confirmed vulnerabilities per month** and reducing the backlog of critical open domain-related issues by about **75%**. The program is positioned as part of the government’s *Blueprint for Modern Digital Government* (published January 2025), with Minister for Digital Government **Ian Murray** emphasizing operational impacts of cyberattacks on public services (e.g., NHS disruption) and announcing a related workforce initiative to build a stronger pipeline of cybersecurity talent across DSIT and the UK’s National Cyber Security Centre (**NCSC**).
Mar 21, 2026