Critical CVEs of 2026: when exploits beat the patch
2026 confirms a worrying trend: vulnerabilities are exploited faster than vendors ship patches. What it means for defence and how to keep up.
If the critical vulnerabilities of 2026 point to one conclusion, it’s this: the exploit increasingly beats the patch. This isn’t a feeling — it’s a measurable trend that changes how defence has to be built.
Exploitation beats disclosure
Analyses of 2025–2026 data show the mean time to exploit has turned negative — flaws are being used in attacks before the vendor officially discloses them and ships a fix. We saw it first-hand: the zero-days in Ivanti EPMM were attacked before publication, and critical flaws in Fortinet FortiClient EMS landed in the CISA KEV as actively exploited.
The uncomfortable consequence: the “we’ll patch it in the next maintenance window” model no longer suffices for internet-facing systems.
Edge appliances are the front line
The pattern is clear. Among the ransomware-associated, KEV-flagged vulnerabilities, a significant share are edge appliances — VPN gateways, firewalls and management servers from Citrix, Ivanti or Fortinet. The reason is simple: they’re publicly reachable and have privileged access to the rest of the network. One compromise gives the attacker a foothold and a bridge inside.
They’re also the most common entry door for ransomware attacks — which is why we describe fast patching of edge systems as one of the pillars of defending against ransomware.
A low CVSS doesn’t mean safe
2026 also delivered a pointed lesson about prioritisation: the SharePoint zero-day scored just 6.5 in CVSS, yet still landed in the KEV with a hard deadline — because it was actively exploited. On the other hand, wormable flaws like CVE-2026-33827 in Windows TCP/IP show that some vulnerabilities demand emergency mode regardless of the rest of the schedule.
How to keep up — a practical process
- Prioritise by active exploitation, not CVSS alone. Wire the CISA KEV catalog and the EPSS score into your process — a daily comparison against what’s actually being attacked. We expand on this in our piece on vulnerability prioritisation.
- Keep a full inventory of internet-facing systems — you can’t protect what you don’t know about.
- Build an emergency patching path for critical flaws — defined in advance, rehearsed, with clear ownership.
- Reduce exposure. Keep management interfaces, VPNs and portals behind allowlists, not on the open internet.
- Assume compromise of edge devices that were exposed and unpatched — hunt for IOCs, don’t just patch.
The “exploit before patch” trend won’t reverse on its own. The winners are organisations that turned patching from an annual project into a continuous, risk-driven process. If you’d like to set up such a process or review your exposure, get in touch.
Sources and further reading: CISA KEV, FIRST — EPSS, The Hacker News.