HomeResearch › Exploitation Velocity Index
Original Research · Reproducible Data

The Exploitation Velocity Index

A reproducible read on which vendors actually get exploited in the wild — derived entirely from the official CISA Known Exploited Vulnerabilities catalog, not from vendor marketing or estimated severity.

Dataset: CISA KEV catalog v2026.07.01 · 1631 entries · updated 2026-07-05 · Download JSON · Methodology

1631
confirmed in-the-wild exploited CVEs in the catalog
20.1%
linked to a known ransomware campaign (328 CVEs)
21d
median CISA remediation window (add → federal deadline)
240
new exploited CVEs confirmed in the trailing 12 months

01Catalog growth velocity

KEV additions per calendar month — the rate at which CISA confirms new in-the-wild exploitation. The trailing 12 months added 240 entries versus 251 in the prior 12 (-4.4% year-over-year). Each bar is one calendar month.

25-02
25-03
25-04
25-05
25-06
25-07
25-08
25-09
25-10
25-11
25-12
26-01
26-02
26-03
26-04
26-05
26-06
26-07

02Which vendors dominate real-world exploitation

Ranked by share of the entire KEV catalog. This is the single most useful patch-prioritization signal most teams ignore: exploitation is heavily concentrated. Microsoft alone accounts for 23.2% of every confirmed in-the-wild exploited vulnerability CISA tracks.

#VendorKEV entriesCatalog shareRansomware shareMedian deadline
1 Microsoft 378 23.2% 27.5% 21d
2 Cisco 93 5.7% 6.5% 21d
3 Apple 93 5.7% 0% 21d
4 Adobe 79 4.8% 12.7% 21d
5 Google 72 4.4% 0% 21d
6 Oracle 44 2.7% 29.5% 21d
7 Apache 39 2.4% 17.9% 21d
8 Ivanti 35 2.1% 34.3% 21d
9 Linux 26 1.6% 7.7% 21d
10 D-Link 26 1.6% 7.7% 21d
11 Fortinet 26 1.6% 50% 21d
12 VMware 26 1.6% 34.6% 21d
13 Citrix 22 1.3% 31.8% 21d
14 Synacor 18 1.1% 27.8% 21d
15 Android 17 1% 0% 21d

03Highest assessed urgency — tightest deadlines

Vendors with >=5 KEV entries, ranked by shortest median CISA remediation window (days from catalog addition to federal remediation deadline). A shorter window is CISA signalling higher assessed urgency.

#VendorMedian remediation windowKEV entries
1 Juniper 4 days 8
2 SolarWinds 14 days 11
3 Microsoft 21 days 378
4 Cisco 21 days 93
5 Oracle 21 days 44
6 Ivanti 21 days 35
7 Google 21 days 72
8 Linux 21 days 26
9 Android 21 days 17
10 Palo Alto Networks 21 days 15
11 Drupal 21 days 5
12 Trend Micro 21 days 12

04Dominant weakness categories

The CWE classes most represented across exploited CVEs — where detection and secure-development effort pays off most.

CWECountCatalog share
CWE-20 118 7.2%
CWE-78 104 6.4%
CWE-787 100 6.1%
CWE-416 92 5.6%
CWE-119 84 5.2%
CWE-22 75 4.6%
CWE-502 67 4.1%
CWE-94 65 4%
CWE-287 39 2.4%
CWE-843 37 2.3%

05Most recent additions

The 10 most recently confirmed in-the-wild exploited CVEs. Detection content for the highest-priority entries is published in our detection pack.

CVEVendorAddedWindowRansomware
CVE-2026-45659 Microsoft 2026-07-01 3d
CVE-2026-48558 SimpleHelp 2026-06-29 3d
CVE-2026-12569 PTC 2026-06-25 3d
CVE-2026-20230 Cisco 2026-06-25 3d
CVE-2025-67038 Lantronix 2026-06-23 3d
CVE-2026-34910 Ubiquiti 2026-06-23 3d
CVE-2026-34909 Ubiquiti 2026-06-23 3d
CVE-2026-34908 Ubiquiti 2026-06-23 3d
CVE-2026-20253 Splunk 2026-06-18 3d
CVE-2026-48907 Widget Factory 2026-06-16 3d

06Methodology & reproducibility

✓ How every number on this page is produced

The Exploitation Velocity Index is computed directly from the primary source — the official CISA KEV catalog JSON feed — with no estimation, weighting, or editorial adjustment:

What this index deliberately does not claim: KEV contains no disclosure-to-exploitation timing, so we publish no such metric. Every figure here is reproducible by re-running the same computation against the same public feed. The machine-readable output is published under CC BY 4.0: exploitation-velocity-index.json.

Turn this data into detections

The concentration this index reveals is only useful if you can act on it. Our detection pack ships traceable Sigma rules for the highest-priority KEV entries — every rule linked to its CVE, KEV date, and vendor advisory.