Identifying Exploited Vulnerabilities in Cybersecurity

I’ve always felt that vulnerability management misses one critical question — has this vulnerability already been exploited in the wild? In May 2025, NIST proposed a new metric called Likely Exploited Vulnerabilities (LEV) that finally attempts to answer that. LEV estimates the probability that a vulnerability has already been exploited, using historical EPSS data and real-world exploitation patterns. For years, we’ve depended on: CVSS → to measure how severe a vulnerability is, and EPSS → to predict how likely it will be exploited in the future. But LEV adds a third dimension — it tells us what’s probably already happening out there. 🧮 A Quick Example If a vulnerability had an EPSS score of 0.3 (30%) per day for 10 consecutive days, LEV estimates its chance of being exploited at least once as: LEV = 1 – (1 – 0.3)¹⁰ ≈ 0.97 That’s a 97% probability it’s already been exploited somewhere in the world. Now consider: CVE-A: CVSS 9.8, LEV 0.05 → severe but rarely exploited CVE-B: CVSS 7.5, LEV 0.95 → moderate severity but almost certainly exploited Which one would you patch first? LEV helps make that decision clear — with data, not assumptions. LEV doesn’t replace CVSS or EPSS — it complements them. Together, they paint a complete risk picture as shown in the image. By integrating LEV into dashboards and risk models, teams can focus on the vulnerabilities that truly matter — the ones attackers are actively exploiting right now. In an age of overwhelming CVE volume, LEV feels like a step toward practical, intelligence-driven vulnerability management that reflects how threats evolve in the real world. #CyberSecurity #VulnerabilityManagement #NIST #CTEM #RiskBasedSecurity

💡 Cyber Resilience Act (CRA) - vulnerability definitions FAQ I've seen a lot of confusion around vulnerability management required by the CRA lately. Let's try and bring some order to the chaos. There are 3 kinds of vulnerability definitions in the CRA. If you have understood them, the rest becomes simple. They can all be found in Art. 3: 1️⃣ the "basic" vulnerability "a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat" This is the broad term for all the vulnerabilities you could find. It's every CVE (but not limited to CVEs). It's the 1200 hits your vuln scanner turns back if you run it for the first time, many of which are no serious issue for your product. 2️⃣ the (known) exploitable vulnerability "a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions" These are the vulnerabilities that are actually a serious problem for your product. What is exploitable? You must decide, based on your product and its anticipated operating environment. Exploitability ratings or lists like CISA's KEVs and the ENISA's EUVD can help. 3️⃣ the actively exploited vulnerability "a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner" When people get confused about this one, I recommend thinking of it as an incident rather than a vulnerability. "Actively exploited" means something has happened to your product while in use with a customer. Could be a SOC alert showing your product has been used as an entry point to a network, or a real incident with impact where a vuln in your product played a role. 💡 Now, what do you need to do about each category? 1️⃣ All vulns: You need to manage those - see Annex I, Part II. Scan for them and assess their risk (exploitable?) to decide what to do (notify customers? patch?). You need a responsible disclosure process so people can send you vulns they have found. If a patch is required, you need to publicly disclose the vuln after you have provided the patch (responsible disclosure). This applies to your products with digital elements from Dec 2027. 2️⃣ Exploitable vulns: These prevent you from shipping your product - that's one of the CRA's core requirements (Annex I, Part I). They definitely need to be fixed asap or you lose your CRA conformity or can't sell your product any longer. Also, you need to publicly disclose the vuln after you have provided the patch (responsible disclosure). This applies to your products with digital elements from Dec 2027. 3️⃣ Actively exploited vulns: These cases will be rare, but if you learn about an incident including your product, Art. 14 applies: You need to report the vuln to your national CERT and ENISA, and of course take corrective measures. This is the only part that also applies to legacy products (Art. 69), and you need to do it from September 2026 (Art. 71).

Claude Opus 4.6 is an interesting data point for where vulnerability discovery is heading. Anthropic’s latest release shows the model identifying high-severity vulnerabilities in mature open-source projects without custom harnesses or task-specific tooling. The interesting part isn’t the number of findings. It’s how they were reached. Rather than relying on random input generation, the model reasoned about code structure, prior fixes, and the assumptions embedded in how systems behave. In several cases, this led it into execution paths that are technically valid but operationally unlikely, and therefore easy to miss. Anthropic reports validating hundreds of high-severity issues so far, all reviewed by humans prior to disclosure. That combination of reasoning-led discovery and human validation changes the economics of vulnerability research. It also reinforces a broader pattern: the hardest problems rarely live in a single file, service, or configuration. They emerge when decisions made in isolation interact across a system. We’ve been seeing similar system-level failure modes in our own work with Sybil, where real exposures only become obvious when you reason across multiple systems rather than within a single component. As models get better at system-level reasoning, workflows that only evaluate components in isolation will increasingly struggle to keep up. #cybersecurity #AI #vulnerabilityresearch

I'm psyched to finally be able to share a new research report from the VulnCheck R+D crew. The 2026 VulnCheck Exploit Intelligence Report draws from 500+ data sources and incorporates a wealth of first-party intelligence and analysis on the public exploit ecosystem, the vulnerabilities that mattered in 2025, in-the-wild targeting and attribution, and more. 📈 Key findings include: • Out of 40K+ "CVE-2025" vulns last year, only 1% were exploited in the wild • VulnCheck tracked 14,400+ exploits targeting 2025 CVEs — a 16.5% increase vs. 2024, driven in no small part by a wave of AI-generated exploit code that's diluting risk signals for defenders. • There was a 52% rise in 2025 exploits attributed to China-nexus adversaries • 56% of net-new ransomware CVEs in 2025 arose from zero-day exploits • Nearly half of the 880+ CVEs added to VulnCheck KEV last year were from 2025, underscoring how quickly adversaries operationalize new vulns • Deep dives on Earth Lamia (China), RomCom (Russia), Cl0p and DragonForce ransomware, and the RondoDox botnet 👉 Get the report here: https://lnkd.in/e7zUM57G We're also releasing our first list of Routinely Targeted Vulnerabilities: 50 CVEs disclosed and exploited in 2025 that had significant exploit activity and elevated risk profiles across multiple dimensions. This is a data-driven list with a transparent methodology that we're releasing to the community to sort and analyze for themselves: https://lnkd.in/eC8uQh-e MASSIVE thank you to the village that made this possible, including but not limited to co-authors Jacob Baines and Cale Black, design genius Chelsea Lewis, marketing whiz-kids Hope Ruiz and Maggie McCann Radtke, our web team, and Patrick Garrity 👾🛹💙 #cybersecurity #infosecurity #vulnerabilitymanagement #threatintel

Two Windows vulnerabilities, one a 0-day, are under active exploitation - ArsTechnica Dan Goodin Both vulnerabilities are being exploited in wide-scale operations. Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say. The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs). These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest. Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common. A large-scale, coordinated operation Seven months later, Microsoft still hasn’t patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491. #cybersecurity #Windows #vulnerabilities #0day #APTs #TrendMicro

🔎 What’s the Best Source for Daily Cyber Vulnerabilities? Accurate visibility into real-world cyber risk comes from correlating multiple intelligence sources—not relying on a single feed. So, here is my consolidated resources as to where I get my info… For daily vulnerability awareness, the most reliable foundation remains Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST): • CISA’s Known Exploited Vulnerabilities (KEV) Catalog — focuses only on vulnerabilities actively exploited in the wild • NIST’s National Vulnerability Database (NVD) — authoritative CVE data, scoring, and technical references To add operational context, (my top three) supplement with practitioner-focused reporting from: • The Hacker News • BleepingComputer • Threatpost Just a small key insight: not all CVEs are deemed equally. Effective daily vulnerability briefings prioritize exploitation status, real-world impact, and clear mitigation guidance—not raw CVE volume. ➡️ Follow Dr. Raymond Friedman for insights on AI governance, cybersecurity leadership, and the evolving ethics of intelligent defense. 📘 Free download: AI Jailbreak Prevention Guide 👉 https://lnkd.in/eqR_rtjX #Cybersecurity #VulnerabilityManagement #ThreatIntelligence #CVE #SOC #BlueTeam #SecOps #AppSec #CloudSecurity #ZeroTrust #IncidentResponse #RiskManagement #SecurityEngineering #CyberDefense #AIsecurity #AIGovernance

And, for folks who don't read LinkedIn articles (I feel you): 𝗡𝗲𝘄 𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵: 𝗟𝗲𝗴𝗮𝗰𝘆 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 𝗥𝗲𝗺𝗮𝗶𝗻 𝗔 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗧𝗵𝗿𝗲𝗮𝘁 One startling datapoint from GreyNoise’s 2025 Mass Internet Exploitation Report demands immediate attention: 40% of vulnerabilities exploited in 2024 were from 2020 or earlier, with some dating back to the 1990s. Attackers aren’t just racing to weaponize new CVEs—they’re systematically exploiting decades-old flaws that defenders have ignored, forgotten, or deemed “too old to matter.” You can see the lineage of observed CVEs in the attached chart which shows the distribution of the publish dates of vulnerability exploit attempts we observed in our Global Observation Grid (GOG) (attached). The persistence of exploits like CVE-2014-8361 (a 10-year-old Realtek UPnP flaw) and CVE-1999-0526 (an X Server vulnerability older than many cybersecurity professionals) reveals a harsh truth: attackers automate exploitation of anything that works while organizations struggle with basic asset inventory and patch hygiene. These aren’t “low-risk” legacy systems—they’re actively targeted entry points for ransomware, botnets, and data exfiltration. Why does this keep happening? Three reasons: Security teams prioritize CVSS over context—a critical CVE gets deprioritized because it has a lower CVSS score, even as attackers mass-scan and automate exploitation for it. Asset management gaps—organizations lack visibility into aging IoT devices, forgotten servers, and embedded systems still running 2000s-era software. Misplaced confidence in perimeter defenses—firewalls and XDRs often fail to detect exploits targeting services like UPnP or outdated API endpoints. The report shows real-world consequences: outdated D-Link NAS devices (CVE-2018-10561) and unpatched Ivanti VPN appliances (CVE-2020-13772) became major ransomware vectors. Meanwhile, 13% of 2024’s exploited CVEs were new, proving attackers operate at both temporal extremes. This isn’t a patching problem—it’s a prioritization failure. Teams need real-time exploit intelligence to answer: “Is anyone actually attacking this?” instead of relying on theoretical risk models. If you haven’t read the full report yet, download it here — https://lnkd.in/dipTpwF8 — for data-backed strategies to shrink your attack surface across both legacy and emerging threats. #Cybersecurity #ThreatIntelligence #VulnerabilityManagement