I just came across the Zero Day Clock, and I love it. Everyone should go there, see the stats, see the trends, and figure out what that means for your ongoing and future patch management plans.
Article Summary
- Most exploited vulnerabilities are zero-days
- Less than 2% of publicly known vulnerabilities are ever exploited
- Time from public disclosure to first exploitation is less than two days and falling
- AI will make these facts even worse
- Defenders need to update their patch management strategy and process to account for the vulnerability exploitation reality
The Zero Day Clock has super important statistics everyone should know and commit to memory. It has four charts that speak to the importance of vulnerabilities, patching, and the decreasing time to patch. I will cover three of the four charts below (but in a different order than the site lists them).
Percentage of Zero-Days versus Non-Zero Days
Zero-days are vulnerabilities that are exploited by real-world attackers before the general public and/or vendors knew about them and/or before a patch was available to remediate. Someone always knows about zero-days because someone is actually using them. Sometimes the vendor is aware of them, but has not gotten around to patching them. But most of the time, the vendor is not aware of them. They can be known by nation-states, regular attackers, and/or sold on high-end vulnerabilities marketplaces.
Historically, for decades, zero-days were a small percentage of total vulnerabilities and were not a big deal. Even when they did exist, they were used far less in the real-world than regular, publicly known exploits. You could almost ignore them. Then, in 2024, 50% of announced vulnerabilities were already exploited as zero-days. A Rubicon was passed! Today, over 67% of exploited vulnerabilities are zero-days.
Most vulnerabilities are not zero-days, but the ones that are used and exploited by real-world criminals against real-world victims are.
This means a few things. First, there is at least some level of exploitation before a patch is available. It means that you need mitigations that help pre-patch, whatever those things are. It probably includes some sort of very good intrusion detection. And it means you have less time to patch once a patch is available (more on that below).
Percentage of CVEs Actually Exploited
It has always been the case that only a small percentage of publicly known vulnerabilities are actually exploited by real-world criminals against real-world targets. The rest are just announced and not exploited by criminals. So, we may have many tens of thousands of publicly known vulnerabilities, but most are not exploited by real-world criminals.
For the decades I have been following it; I have often written that the rate of exploitation was 2% or less. According to CISA, the exploit rate was 4%. That was higher than I personally tracked, but still pretty low.
According to the Zero Day Clock, my 2% rate was closer to reality than the 4% CISA quoted rate. Today, it is less than 1%.
Most publicly known vulnerabilities are not exploited. The trick is figuring out which vulnerabilities to pay attention to and patch quickest. Well, you definitely need to worry about and patch quickest the vulnerabilities being actively attacked, first and best. Then concentrate on the things most likely to be attacked. For that, for a free source, I pay attention to vendor or CVE CVSS scores.
If a known vulnerability has a CVSS rating of seven or higher, you probably need to patch as quickly as possible. Everything else is secondary, unless you have a good reason to concentrate on it. Traditionally, that has been about one-fourth to one-third of total vulnerabilities.
Now, you should see an immediate irony there. Although 25% - 33% of publicly known vulnerabilities are ranked with high or more criticality, less than 2% are actually exploited. I am not sure that a vulnerability never exploited should have a very high risk score, but that is up for debate.
If you understand that difference and how that impacts your patch management process, you will lower real cybersecurity risk better.
It is likely that AI will create and find more vulnerabilities and exploit more of them (pure numbers wise). Whether that makes the existing exploit rate climb, we will see. But if I had to guess, I would guess the exploit rate will rise over the historical average. But I have no real support for that claim, other than I think AI-enabled hack bots will find and exploit more vulnerabilities than the human adversaries of the past.
The overall lesson is that you need to worry more about exploited vulnerabilities than you do all vulnerabilities. To do that, follow CISA’s Known Exploited Vulnerabilities Catalog list.
Time To Exploitation
The last chart I want to cover is the time from public CVE disclosure to exploitation by a real-world criminal. Remember, over 67% of exploited vulnerabilities are exploited before public CVE disclosure. This is how long it takes real-world criminals to exploit a newly publicly disclosed vulnerability.
You can see from the chart that it used to be measured in years and months. Today, it is less than two days. Because of AI, we can expect that rate to drop to under an hour this year.
Traditionally, defenders were told they had a month to get fully patched. In the last few years, the best patch management advice has been to have it done in a week or less.
A week might be too long.
The reality is that patch managers probably need to patch publicly disclosed vulnerabilities that are being exploited in a day or less.
That is insane!
Theoretically, it requires lots of testing before you deploy a patch (but most organizations and people have never done that). A day or two to patch means very quick patching.
Most defenders probably need some sort of patch management tool…probably AI-enabled, to take over the patch management process (if not just on auto-pilot for quick patching). The AI will need to make sure anything currently being exploited is patched ASAP, followed by the higher critical publicly known vulnerabilities that are most likely to be exploited.
You might even need an AI-enabled tool that looks for, finds, and remediates new zero-days it finds in your environment, or some other offsetting mitigation. Either way, the time to patch is being significantly reduced. It always has been, even before AI, but with AI, we are trending towards days and minutes to be patch-ready.
The ultimate defense is to have fewer exploitable vulnerabilities to start with. But I already said in my last related article on vulnerabilities, that is not likely to be the case soon until our AI vibe coding and related processes result in fewer bugs per line of code.
If you are a defender in charge of patch management (and you are in charge of your personal devices already if nothing else), make sure your current and future patch plans include the lessons that the Zero Day Clock is teaching. They are important.
