Cyber attackers continue to speed up vulnerability exploitation and last year 28.96% of known exploited vulnerabilities (KEVs) identified by VulnCheck were exploited before being publicly disclosed, or on the day they were reported.

This from cybersecurity firm VulnCheck’s State of Exploitation 2026 report, published on January 21, which shows zero-day and one-day exploitation is accelerating, up from 23.6% in 2024.

While the report considers the discoverability of a vulnerability as the day its common vulnerabilities and exposures (CVE) identifier is published, Patrick Garrity, vulnerability researcher at VulnCheck, told Infosecurity that the reality is more complex.

"Some were disclosed in public advisories first, then became exploited and a CVE was published after the facts," he explained.

This means that not all KEVs being exploited before or on the same day of CVE issuance are zero day vulnerabilities. Nevertheless, this rise from 24% to almost 30% shows that cyber threat actors continue to step up the pace by which they exploit unpatched vulnerabilities.