The Race to Exploit: Why CVEs Don’t Wait in 2025

Faster, please

If 2024 showed us anything, it’s that threat actors are getting faster and 2025 is doubling down on that trend. According to VulnCheck’s Q1 report, attackers are exploiting newly disclosed CVEs at breakneck speed, often within just hours or days of publication. That’s not just fast—it’s systematically aggressive.

Even more concerning, some of the most exploited CVEs aren’t the ones with the highest CVSS scores. This pokes yet another hole in the idea that severity scores alone can guide prioritisation. Just because something is rated “medium” doesn’t mean it won’t get exploited within 48 hours by a ransomware group halfway across the world.

The window between vulnerability disclosure and exploitation is getting shorter. As a result, relying solely on monthly patch cycles may no longer be sufficient for many organisations. It’s becoming increasingly important to treat CVE data as a form of real-time threat intelligence, something that should inform prioritisation and response as events unfold.

Enterprise Focus

Similarly, according to Google Cloud’s Threat Intelligence team, 0-day vulnerabilities are increasingly being found and exploited in products used by large organisations: firewalls, virtualisation tools, cloud infrastructure, and identity services.

This isn’t a coincidence. Enterprise tech represents a high ROI target. If you're an attacker, compromising a niche developer tool might get you access to a handful of machines. But landing a hit on something like a cloud identity provider or remote access gateway? That’s a golden ticket - broad access, deep reach, and a clear path to lateral movement.

The 2024 data backs this up. While customer-facing apps and browsers still get hit, the real action is happening in the enterprise stack. And more worryingly, many of these 0-days were discovered after they were already being exploited in the wild, meaning defenders were playing catchup from the start.

Could this mean that "critical infrastructure” may be redfined? It’s not just about national grids or government systems anymore. A vulnerable endpoint management tool used by Fortune 500 companies could be just as impactful if it’s leveraged in a supply chain attack or ransomware campaign.

Why Offensive Security Matters More in 2025

With the pace of CVE exploitation at an all-time high, there’s a growing realisation across the security industry: being reactive just isn’t enough. By the time a critical vulnerability is disclosed - let alone triaged and patched -there’s a good chance it’s already being used by threat actors. That’s where offensive security comes in.

Penetration testing, red teaming, and adversary simulation are not just compliance checkboxes - or shouldn’t be - they’re vital for understanding how real attackers might break into your environment. And not in theory - in practice, using the same tools, tactics, and timing that attackers are using in the wild.

These exercises do more than just find unpatched systems. They uncover misconfigurations, chained vulnerabilities, insecure defaults, and blind spots in detection - things that traditional scanners or vulnerability management tools often miss. Offensive operations help teams understand not just what’s vulnerable, but what’s exploitable, and how quickly an attacker could move once inside. It’s also not unusual for an attack team to find vulnerabilities for which there are no current CVEs, newly uncovered on an engagement.

That’s crucial in 2025, because as VulnCheck and Google Cloud have both highlighted, attackers are acting with greater precision. They’re not just throwing exploits at random systems, they’re targeting enterprise infrastructure, chaining vulnerabilities, and abusing trust relationships across networks. Offensive security helps simulate that kind of behavior in a controlled way; before someone else does it for real.

What can you do?

Integrate offensive testing into routine operations – Don’t wait for annual assessments. Regular, risk-driven testing gives you a real-world view of your exposure.

Use threat intelligence to inform your offensive strategy – Focus red team efforts around actively exploited CVEs and adversary TTPs (Tactics, Techniques, Procedures), not just high-severity scores.

Go beyond “scan and patch” – Many critical risks aren’t even CVEs—they’re default credentials, weak access control, or poor segmentation. Offense brings those issues to the surface.

Build strong, ongoing partnerships with your offensive security providers – Don’t treat pentesting as a once-a-year checkbox. Collaborate throughout the year, and give them context about your environment, architecture, and risk priorities. The more they understand your real-world constraints, the more valuable their testing will be.