Impacting the โdyldโ system component, the memory corruption issue can be exploited for arbitrary code execution.
The post Apple Patches iOS Zero-Day Exploited in โExtremely Sophisticated Attackโ appeared first on SecurityWeek.
In this post we explore the data-driven shrinkage of the Time to Exploit (TTE) window from 745 days to just 44, and examine why N-day vulnerabilities have become the โturn-keyโ weapon of choice for modern threat actors.
Table Of Contents
The race between defenders and threat actors has entered a new, more volatile phase: the rapidly accelerating exploitation of N-day vulnerabilities. Different from zero-days, N-day vulnerabilities are known security flaws that have been publicly disclosed but remain unpatched or unmitigated on an organizationโs systems.
Historically, enterprises operated under the assumption of a โpatching grace period,โ the designated window of time allowed for a vendor to test and deploy a fix before a system is considered non-compliant or at high risk. However, this window is effectively collapsing, with Flashpoint finding that N-days now represent over 80% of all Known Exploited Vulnerabilities (KEVs) tracked over the past four years.
The most sobering trend for security operations (SecOps) and exposure management teams is the dramatic reduction in Time to Exploit (TTE). In 2020, the average TTE, the time between a vulnerabilityโs disclosure and its first observed exploitation, was 745 days. By 2025, Flashpoint found that this window has now plummeted to an average of just 44 days.
| 2025 | 2024 | 2023 | 2022 | 2021 | 2020 | |
| Average TTE | 44 | 115 | 296 | 405 | 518 | 745 |
This contraction represents a strategic shift in adversary tempo. Attackers are no longer waiting for complex, bespoke exploits; they are moving at breakneck speeds to weaponize public disclosures.
Adversaries have gained a significant advantage through the rapid weaponization of researcher-published Proof-of-Concept (PoC) code. When a fully functional exploit is released alongside a vulnerability disclosure, it becomes a โturn-keyโ solution for attackers. By combining these ready-made exploits with internet-wide scanning tools like Shodan or FOFA, even unsophisticated threat actors can conduct mass exploitation across large segments of the internet in hours.
A prime example of this path of least resistance approach was observed in the leaked internal chat logs of the BlackBasta ransomware group. Analysis revealed that of the 65 CVEs discussed by the group, 54 were already known KEVs. Rather than spending resources on original zero-day research, threat actors are simply leveraging known, yet unpatched and exploitable vulnerabilities for their campaigns.
The very software designed to protect enterprise firewalls, VPN gateways, and edge networking devices is consistently the most targeted category for both N-day and zero-day exploitation.
Because cybersecurity devices must be internet-facing to function, they provide a constant, unauthenticated attack surface. In 2025 alone, Flashpoint observed 37 N-days and 52 zero-days specifically targeting security and perimeter software. The requirement for these systems to remain open to external traffic means they will continue to be disproportionately targeted by advanced persistent threat (APT) groups and cybercriminals alike.
While tracking the โhowโ of an attack is critical, tracking who is responsible remains a fragmented challenge for the industry. Attribution is often hampered by naming fatigue, where different vendors assign their own designated unique monikers to the same actor. For instance, the widely known threat actor group Lazarus has over 40 distinct designations across the industry, including โDiamond Sleet,โ โNICKEL ACADEMY,โ and โGuardians of Peaceโ.
Despite these naming complexities, global activity patterns remain clear. China remains the most active nation-state actor in the vulnerability exploitation space, consistently outpacing Russia, Iran, and North Korea in both the volume and scope of their campaigns.
Why are organizations struggling to keep pace? The primary factor isnโt a lack of effort, but a lack of visibility.
The single greatest breakthrough an enterprise can achieve is not a new AI tool, but a complete asset inventory. Most large organizations are lucky to have an accurate inventory of even 25% of their total assets. Without knowing what you own, vulnerability scans can take days or weeks to return results that the adversary is already using to probe your network.
Most traditional security tools are CVE-dependent. However, thousands of vulnerabilities are disclosed every year that never receive an official CVE ID. These โmissingโ vulnerabilities represent a massive blindspot for standard scanners. Intelligence-led exposure management requires looking beyond the CVE ecosystem into proprietary databases like Flashpointโs VulnDB
, which tracks over 105,000 vulnerabilities that public sources miss.
To survive in an era where weaponization can happen in under 24 hours, organizations must shift from reactive patching to a threat-informed and proactive security approach. This means:
The goal of exposure management is to look at your organization through the adversaryโs lens. By understanding which N-days threat actors are actually discussing and weaponizing in the wild, defenders can finally start to close the window of exposure before a potential compromise can occur.
Flashpointโs vulnerability threat intelligence can help your organization go from reactive to proactive. Request a demo today and gain access to quality vulnerability intelligence that enables intelligence-led exposure management.
The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of โTurn-Keyโ Exploitation appeared first on Flashpoint.
It also fixed a high-severity authentication bypass that could be exploited remotely without authentication to obtain credentials.
The post Ivanti Patches Endpoint Manager Vulnerabilities Disclosed in October 2025 appeared first on SecurityWeek.
More than two dozen advisories have been published by the chip giants for vulnerabilities found recently in their products.
The post Chipmaker Patch Tuesday: Over 80 Vulnerabilities Addressed by Intel and AMD appeared first on SecurityWeek.
The bugs could be exploited without authentication for command execution and authentication bypass.
The post Fortinet Patches High-Severity Vulnerabilities appeared first on SecurityWeek.
Dozens of vulnerabilities, bugs, and potential improvements have been identified by the tech giantsโ security teams.
The post Google-Intel Security Audit Reveals Severe TDX Vulnerability Allowing Full Compromise appeared first on SecurityWeek.
The KEV list is useful but largely misunderstood. KEVology explains what it is, and how best to use it.
The post New Paper and Tool Help Security Teams Move Beyond Blind Reliance on CISAโs KEV Catalog appeared first on SecurityWeek.
The security defect allows unauthenticated attackers to execute arbitrary code remotely via malicious HTTP requests.
The post Critical SmarterMail Vulnerability Exploited in Ransomware Attacks appeared first on SecurityWeek.
CISA updated 59 KEV entries in 2025 to specify that the vulnerabilities have been exploited in ransomware attacks.
The post Concerns Raised Over CISAโs Silent Ransomware Updates in KEV Catalog appeared first on SecurityWeek.
VS Code-integrated configuration files are automatically executed in Codespaces when the user opens a repository or pull request.
The post VS Code Configs Expose GitHub Codespaces to Attacks appeared first on SecurityWeek.
The vulnerability could allow attackers to execute arbitrary commands and steal credentials and other secrets.
The post Critical N8n Sandbox Escape Could Lead to Server Compromise appeared first on SecurityWeek.
The security defects can lead to DoS conditions, arbitrary command execution, and privilege escalation.
The post Cisco, F5 Patch High-Severity Vulnerabilities appeared first on SecurityWeek.
Over the past two months researchers have reported three vulnerabilities that can be exploited to bypass authentication in Fortinet products using the FortiCloud SSO mechanism. The first two โ CVE-2025-59718 and CVE-2025-59719 โ were found by the companyโs experts during a code audit (although CVE-2025-59718 has already made it into CISAโs Known Exploited Vulnerabilities Catalog), while the third โ CVE-2026-24858 โ was identified directly during an investigation of unauthorized activity on devices. These vulnerabilities allow attackers with a FortiCloud account to log into various companiesโ FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb accounts if the SSO feature is enabled on the given device.
To protect companies that use both our Kaspersky Unified Monitoring and Analysis Platform and Fortinet devices, weโve created a set of correlation rules that help detect this malicious activity. The rules are already available for customers to download from Kaspersky SIEM repository; the package name is: [OOTB] FortiCloud SSO abuse package โ ENG.
The package includes three groups of rules. Theyโre used to monitor the following:
Rules marked โ(info)โ may potentially generate false positives, as events critical for monitoring authentication bypass attempts may be entirely legitimate. To reduce false positives, add IP addresses or accounts associated with legitimate administrative activity to the exceptions.
As new attack reports emerge, we plan to supplement the rules marked with โIOCโ with new information.
We also recommend using rules from the FortiCloud SSO abuse package for retrospective analysis or threat hunting. Recommended analysis period: starting from December 2025.
For the detection rules to work correctly, you need to ensure that events from Fortinet devices are received in full and normalized correctly. We also recommend configuring data in the โExtraโ field when normalizing events, as this field contains additional information that may need investigating.
Learn more about our Kaspersky Unified Monitoring and Analysis Platform at on the official solution page.
Albeit mainly considered a theoretical risk, the flaw has been exploited to disable protections and deliver malware.
The post Critical React Native Vulnerability Exploited in the Wild appeared first on SecurityWeek.
The attacks targeting Europe were analyzed by Ukraineโs CERT-UA and the cybersecurity company Zscaler.
The post Russiaโs APT28 Rapidly Weaponizes Newly Patched Office Vulnerabilityย appeared first on SecurityWeek.
We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack.
The post Privileged File System Vulnerability Present in a SCADA System appeared first on Unit 42.
From an Anthropic blog post:
In a recent evaluation of AI modelsโ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.
[โฆ]
A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breachโone of the costliest cyber attacks in historyยญยญusing only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches.
AI models are getting better at this faster than I expected. This will be a major power shift in cybersecurity.
The critical-severity vulnerabilities could allow unauthenticated attackers to execute arbitrary code remotely.
The post Ivanti Patches Exploited EPMM Zero-Days appeared first on SecurityWeek.
The two bugs impacted n8nโs sandbox mechanism and could be exploited via weaknesses in the AST sanitization logic.
The post N8n Vulnerabilities Could Lead to Remote Code Execution appeared first on SecurityWeek.
The four critical flaws could be exploited without authentication for remote code execution or authentication bypass.
The post SolarWinds Patches Critical Web Help Desk Vulnerabilities appeared first on SecurityWeek.
Login