Study Shows 63% of Critical Vulnerabilities Remain Unpatched After 7 Days, Undermining Enterprise Defenses
What Happened — A Qualys analysis of more than one billion CISA Known Exploited Vulnerabilities (KEV) remediation records from 10 000 organizations over the past four years reveals that the share of critical flaws still open after seven days rose from 56 % to 63 %, despite a 6.5‑fold increase in remediation tickets. In 88 % of the 52 high‑profile weaponized vulnerabilities examined, attackers exploited the flaw before the average enterprise applied a patch.
Why It Matters for TPRM —
- Persistent exposure to critical CVEs creates a systemic supply‑chain risk for all third‑party vendors.
- Traditional “ticket‑close” metrics mask the true exposure window that attackers exploit.
- The “human ceiling” indicates that staffing alone cannot close the gap, demanding new automated risk‑operational models.
Who Is Affected — All industries that rely on third‑party software and services, especially technology/SaaS, cloud infrastructure, financial services, and healthcare providers that integrate external components.
Recommended Actions —
- Re‑evaluate vendor security questionnaires to include cumulative exposure metrics (e.g., % of critical CVEs open > 7 days).
- Require vendors to demonstrate autonomous, closed‑loop patching or mitigation processes.
- Prioritize monitoring of CISA KEV listings and integrate real‑time exploit intelligence into risk assessments.
Technical Notes — The study tracks CISA KEV data, focusing on weaponized vulnerabilities such as Spring4Shell (exploited 2 days before disclosure, average remediation 266 days) and Cisco IOS XE flaw (exploited ≈ 1 month early, average remediation 263 days). The underlying issue is the operational model rather than a lack of effort; time‑to‑exploit has collapsed to ‑7 days, meaning exploits appear before patches exist. Source: BleepingComputer