Full Report
Analysis of 1 billion CISA KEV remediation records reveal a breaking point for human-scale security. Qualys shows most critical flaws are exploited before defenders can patch them. [...]
Analysis Summary
This summary is based on the Qualys Threat Research Unit analysis of 1 billion CISA Known Exploited Vulnerabilities (KEV) remediation records, highlighting the systemic collapse of manual patching timelines against automated threats.
# Vulnerability: The "Human Ceiling" in Remediation (Aggregate Analysis)
## CVE Details
The report highlights a trend across the CISA KEV catalog rather than a single flaw. It specifically cites timelines for the following:
- **Spring4Shell:** CVE-2022-22965 | CVSS: 9.8 (Critical) | CWE-94 (Code Injection)
- **Cisco IOS XE Web UI:** CVE-2023-20198 | CVSS: 10.0 (Critical) | CWE-287 (Improper Authentication)
- **Follina:** CVE-2022-30190 | CVSS: 7.8 (High) | CWE-41 (Improper Resolution of Link)
## Affected Systems
- **Products:** Enterprise infrastructure (Cisco IOS XE), Development frameworks (Spring Framework), and Endpoints (Microsoft Windows/Office).
- **Versions:** Broadly covers assets tracked in CISA KEV records (2022–2026).
- **Configurations:** Systems with web-facing management interfaces (Cisco) or Java-based web applications (Spring).
## Vulnerability Description
The "vulnerability" discussed is the **Time-to-Exploit (TTE)** gap. Findings indicate a "negative seven days" TTE, meaning adversaries weaponize flaws a full week before public disclosure or patch availability. The "Manual Tax" identifies that while endpoints are patched relatively quickly (median <14 days), infrastructure systems remain exposed for extreme durations (median 232 days).
## Exploitation
- **Status:** Exploited in the wild (88% of weaponized vulnerabilities are remediated slower than they are exploited).
- **Complexity:** Low (Targeted by autonomous AI agents and automated scanning).
- **Attack Vector:** Network (Remote exploitability is the primary driver of risk mass).
## Impact
- **Confidentiality:** Total (Data theft via zero-day weaponization).
- **Integrity:** Total (Unauthorized system modification/RCE).
- **Availability:** Total (Infrastructure persistent access).
## Remediation
### Patches
- The report notes a failure in the current patching model: 63% of critical flaws remain unpatched at Day 7.
- **Spring4Shell:** Remediated in average of 266 days.
- **Cisco IOS XE:** Remediated in average of 263 days.
### Workarounds
- **Autonomous Remediation:** Shift from manual ticketing to closed-loop risk operations.
- **Prioritization:** Focusing on the ~357 vulnerabilities that are both remotely exploitable and weaponized, rather than the ~48,000 total disclosures.
## Detection
- **Indicators of Compromise (IoCs):** Use of AI-powered attackers to scan for N-day and Zero-day flaws.
- **Detection Methods:** Measuring **Risk Mass** (vulnerable assets × days exposed) and **Average Window of Exposure (AWE)** to identify the "long tail" of unpatched assets.
## References
- CISA Known Exploited Vulnerabilities (KEV) Catalog: hxxps[:]//www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Qualys Research - The Broken Physics of Remediation: hxxps[:]//www[.]qualys[.]com/forms/whitepapers/the-broken-physics-of-remediation
- ROCON EMEA Event: hxxps[:]//www[.]qualys[.]com/rocon/2026/emea