Skip to content
Breachroad
Back to the blog
Vulnerabilities

Critical CVEs of 2026: when exploits beat the patch

2026 confirms a worrying trend: vulnerabilities are exploited faster than vendors ship patches. What it means for defence and how to keep up.

KR
Karol Rapacz
30 June 2026 · 7 min read
Critical CVEs of 2026: when exploits beat the patch

If the critical vulnerabilities of 2026 point to one conclusion, it’s this: the exploit increasingly beats the patch. This isn’t a feeling — it’s a measurable trend that changes how defence has to be built.

Exploitation beats disclosure

Analyses of 2025–2026 data show the mean time to exploit has turned negative — flaws are being used in attacks before the vendor officially discloses them and ships a fix. We saw it first-hand: the zero-days in Ivanti EPMM were attacked before publication, and critical flaws in Fortinet FortiClient EMS landed in the CISA KEV as actively exploited.

The uncomfortable consequence: the “we’ll patch it in the next maintenance window” model no longer suffices for internet-facing systems.

Edge appliances are the front line

The pattern is clear. Among the ransomware-associated, KEV-flagged vulnerabilities, a significant share are edge appliances — VPN gateways, firewalls and management servers from Citrix, Ivanti or Fortinet. The reason is simple: they’re publicly reachable and have privileged access to the rest of the network. One compromise gives the attacker a foothold and a bridge inside.

They’re also the most common entry door for ransomware attacks — which is why we describe fast patching of edge systems as one of the pillars of defending against ransomware.

A low CVSS doesn’t mean safe

2026 also delivered a pointed lesson about prioritisation: the SharePoint zero-day scored just 6.5 in CVSS, yet still landed in the KEV with a hard deadline — because it was actively exploited. On the other hand, wormable flaws like CVE-2026-33827 in Windows TCP/IP show that some vulnerabilities demand emergency mode regardless of the rest of the schedule.

How to keep up — a practical process

  1. Prioritise by active exploitation, not CVSS alone. Wire the CISA KEV catalog and the EPSS score into your process — a daily comparison against what’s actually being attacked. We expand on this in our piece on vulnerability prioritisation.
  2. Keep a full inventory of internet-facing systems — you can’t protect what you don’t know about.
  3. Build an emergency patching path for critical flaws — defined in advance, rehearsed, with clear ownership.
  4. Reduce exposure. Keep management interfaces, VPNs and portals behind allowlists, not on the open internet.
  5. Assume compromise of edge devices that were exposed and unpatched — hunt for IOCs, don’t just patch.

The “exploit before patch” trend won’t reverse on its own. The winners are organisations that turned patching from an annual project into a continuous, risk-driven process. If you’d like to set up such a process or review your exposure, get in touch.


Sources and further reading: CISA KEV, FIRST — EPSS, The Hacker News.

Share this article

Services Book a consultation