The Exploitation Velocity Index
A reproducible read on which vendors actually get exploited in the wild — derived entirely from the official CISA Known Exploited Vulnerabilities catalog, not from vendor marketing or estimated severity.
Dataset: CISA KEV catalog v2026.07.01 · 1631 entries · updated 2026-07-05 · Download JSON · Methodology
01Catalog growth velocity
KEV additions per calendar month — the rate at which CISA confirms new in-the-wild exploitation. The trailing 12 months added 240 entries versus 251 in the prior 12 (-4.4% year-over-year). Each bar is one calendar month.
02Which vendors dominate real-world exploitation
Ranked by share of the entire KEV catalog. This is the single most useful patch-prioritization signal most teams ignore: exploitation is heavily concentrated. Microsoft alone accounts for 23.2% of every confirmed in-the-wild exploited vulnerability CISA tracks.
| # | Vendor | KEV entries | Catalog share | Ransomware share | Median deadline |
|---|---|---|---|---|---|
| 1 | Microsoft | 378 | 23.2% | 27.5% | 21d |
| 2 | Cisco | 93 | 5.7% | 6.5% | 21d |
| 3 | Apple | 93 | 5.7% | 0% | 21d |
| 4 | Adobe | 79 | 4.8% | 12.7% | 21d |
| 5 | 72 | 4.4% | 0% | 21d | |
| 6 | Oracle | 44 | 2.7% | 29.5% | 21d |
| 7 | Apache | 39 | 2.4% | 17.9% | 21d |
| 8 | Ivanti | 35 | 2.1% | 34.3% | 21d |
| 9 | Linux | 26 | 1.6% | 7.7% | 21d |
| 10 | D-Link | 26 | 1.6% | 7.7% | 21d |
| 11 | Fortinet | 26 | 1.6% | 50% | 21d |
| 12 | VMware | 26 | 1.6% | 34.6% | 21d |
| 13 | Citrix | 22 | 1.3% | 31.8% | 21d |
| 14 | Synacor | 18 | 1.1% | 27.8% | 21d |
| 15 | Android | 17 | 1% | 0% | 21d |
03Highest assessed urgency — tightest deadlines
Vendors with >=5 KEV entries, ranked by shortest median CISA remediation window (days from catalog addition to federal remediation deadline). A shorter window is CISA signalling higher assessed urgency.
| # | Vendor | Median remediation window | KEV entries |
|---|---|---|---|
| 1 | Juniper | 4 days | 8 |
| 2 | SolarWinds | 14 days | 11 |
| 3 | Microsoft | 21 days | 378 |
| 4 | Cisco | 21 days | 93 |
| 5 | Oracle | 21 days | 44 |
| 6 | Ivanti | 21 days | 35 |
| 7 | 21 days | 72 | |
| 8 | Linux | 21 days | 26 |
| 9 | Android | 21 days | 17 |
| 10 | Palo Alto Networks | 21 days | 15 |
| 11 | Drupal | 21 days | 5 |
| 12 | Trend Micro | 21 days | 12 |
04Dominant weakness categories
The CWE classes most represented across exploited CVEs — where detection and secure-development effort pays off most.
| CWE | Count | Catalog share |
|---|---|---|
| CWE-20 | 118 | 7.2% |
| CWE-78 | 104 | 6.4% |
| CWE-787 | 100 | 6.1% |
| CWE-416 | 92 | 5.6% |
| CWE-119 | 84 | 5.2% |
| CWE-22 | 75 | 4.6% |
| CWE-502 | 67 | 4.1% |
| CWE-94 | 65 | 4% |
| CWE-287 | 39 | 2.4% |
| CWE-843 | 37 | 2.3% |
05Most recent additions
The 10 most recently confirmed in-the-wild exploited CVEs. Detection content for the highest-priority entries is published in our detection pack.
| CVE | Vendor | Added | Window | Ransomware |
|---|---|---|---|---|
| CVE-2026-45659 | Microsoft | 2026-07-01 | 3d | — |
| CVE-2026-48558 | SimpleHelp | 2026-06-29 | 3d | — |
| CVE-2026-12569 | PTC | 2026-06-25 | 3d | — |
| CVE-2026-20230 | Cisco | 2026-06-25 | 3d | — |
| CVE-2025-67038 | Lantronix | 2026-06-23 | 3d | — |
| CVE-2026-34910 | Ubiquiti | 2026-06-23 | 3d | — |
| CVE-2026-34909 | Ubiquiti | 2026-06-23 | 3d | — |
| CVE-2026-34908 | Ubiquiti | 2026-06-23 | 3d | — |
| CVE-2026-20253 | Splunk | 2026-06-18 | 3d | — |
| CVE-2026-48907 | Widget Factory | 2026-06-16 | 3d | — |
06Methodology & reproducibility
✓ How every number on this page is produced
The Exploitation Velocity Index is computed directly from the primary source — the official CISA KEV catalog JSON feed — with no estimation, weighting, or editorial adjustment:
- Source:
known_exploited_vulnerabilities.json(CISA, public domain), catalog version2026.07.01. - Catalog share = a vendor's KEV entry count ÷ total catalog entries.
- Ransomware share = entries where CISA's
knownRansomwareCampaignUsefield equals"Known"÷ that vendor's entries. CISA-confirmed only; no inference. - Remediation window =
dueDate − dateAddedin days, straight from the record. A shorter median window is CISA signalling higher assessed urgency. - Velocity = count of entries grouped by
dateAddedcalendar month.
What this index deliberately does not claim: KEV contains no disclosure-to-exploitation timing, so we publish no such metric. Every figure here is reproducible by re-running the same computation against the same public feed. The machine-readable output is published under CC BY 4.0: exploitation-velocity-index.json.
Turn this data into detections
The concentration this index reveals is only useful if you can act on it. Our detection pack ships traceable Sigma rules for the highest-priority KEV entries — every rule linked to its CVE, KEV date, and vendor advisory.