Vulnerability exploitation has emerged as the initial access point in 20% of data breaches, marking a 34% increase compared to the previous year. This surge now places it alongside credential abuse as one of the most common entry vectors, according to the 2025 Verizon Data Breach Investigations Report (DBIR). To support this year’s report, Tenable contributed enhanced data on the most exploited vulnerabilities and also published its own in-depth analysis focused on patching trends.
Tenable Research analysed more than 160 million data points from its telemetry to assess how quickly organisations are responding to the 17 high-risk Common Vulnerabilities and Exposures (CVEs) spotlighted in the DBIR. The research breaks down patching performance by industry and geography, offering a clearer picture of the challenges facing cybersecurity teams worldwide.
Long patching delays create risk window for attackers
Tenable’s findings paint a concerning picture. On average, organisations are taking 213 days to remediate these critical CVEs, with the Asia-Pacific region faring slightly better at 199 days. Notably, vulnerabilities affecting widely used edge devices—seen as gateways into enterprise networks—remain unresolved for extended periods even under active exploitation.
For example, Citrix vulnerabilities CVE-2023-6548 and CVE-2023-6549 took more than 160 days to be patched by even the fastest three industries. The slowest industry recorded an average of 288 days. Ivanti vulnerabilities CVE-2023-46805 and CVE-2024-21887 were also particularly slow to be resolved, with remediation times stretching up to 294 days in certain sectors, despite ongoing remote code execution (RCE) threats.
Scott Caveza, senior staff research engineer at Tenable, commented on the urgency in a blog post: “Generally, the most critical vulnerabilities should be at the top of the list, especially for edge devices that serve as a metaphorical door into your environment. The biggest, baddest vulnerability could be a non-issue in some circumstances depending on context.”
Some organisations are responding more quickly
Despite the overall slow patching rate, there were positive signs. Fortinet’s CVE-2024-47575, also known as FortiJump, showed the fastest remediation times. Organisations across various industries resolved this vulnerability in just two to seven days on average.
Another critical issue, SonicWall CVE-2024-40766, which has been used by ransomware groups to gain initial access, was patched in as little as six days within the engineering sector. However, the consulting industry took significantly longer at 52 days. In the Asia-Pacific region, both CVE-2024-47575 and CVE-2024-40766 were remediated in 28 days or less, suggesting that a more rapid response is possible when vulnerabilities are prioritised effectively.
Caveza added, “While 54% of organisations have achieved full remediation of these 17 CVEs, our data revealed the average time to patch was a staggering 209 days. This gap is highly concerning, considering that attackers’ average time-to-exploitation is five days.”
Data underscores urgency for contextual vulnerability management
Tenable emphasised that context plays a vital role in vulnerability prioritisation. Understanding the location of a vulnerability within an environment, the data or systems at risk, ease of exploitation, and whether a proof-of-concept exists can all help determine which issues to fix first.
The collaborative findings from Verizon and Tenable underscore a broader message for security teams: the longer a vulnerability goes unpatched, the greater the opportunity for attackers. As threat actors continue to move faster, often exploiting vulnerabilities within five days of disclosure, organisations must reduce their patching timelines to protect their systems, networks, and users.
