AI shrinks vulnerability exploitation window to hours
Time has become organizations’ biggest vulnerability because the gap between vulnerability discovery and exploitation has narrowed to hours, according to Synack’s 2026 State of Vulnerabilities Report.
Total vulnerabilities by severity (2022-2025) (Source: Synack)
AI expands the attack surface
Agentic AI systems that act autonomously across systems introduce new risks that require human expertise to identify and understand. Automated scanning detects known signatures but can miss logic flaws, misconfigurations, and unexpected behavior.
In 2025, mean time to remediation dropped by approximately 47% across all severity levels, showing that the industry is moving toward continuous security validation, with periodic testing serving a supporting role.
Published CVEs reached 48,244 in 2025, a 20% year-over-year increase. Customer programs that maintained stable findings against that backdrop indicate that security posture is keeping pace with a faster-moving environment.
“Adversaries can identify and exploit vulnerabilities within increasingly shorter timeframes. Organizations that continuously validate security across their environment are responding faster and closing critical exposure windows earlier,” said Dr. Mark Kuhr, CTO of Synack.
Low- and medium-severity findings declined in 2025. High-severity findings increased, especially in mature programs that tend to generate less noise.
AI-enabled adversaries are shrinking the gap between a CVE’s public disclosure and the first observed exploitation by threat actors. Unexpected zero-day vulnerabilities such as React2Shell (CVE-2025-55182) allowed unauthenticated attackers to send malicious HTTP requests that resulted in remote code execution on servers.
In 2025, total vulnerability volume remained relatively stable, but high-severity vulnerabilities increased by 10% compared with 2024.
Familiar vulnerabilities, faster exploitation
The most frequently identified vulnerability remained cross-site scripting (XSS), followed by authorization and permission issues. Content injection, brute-force attacks, and remote code execution increased throughout 2025. These trends show growing attacker focus on social engineering, identity-based exploitation, supply chain vulnerabilities, and authentication boundaries, aligning with AI-enabled adversaries testing access controls.
Average mean time to remediation dropped from 63 days in 2024 to 38 days in 2025, while critical vulnerabilities were remediated 25 days faster. Shorter remediation timelines reflect pressure from AI-enabled attackers that continue to reduce average time to exploit. PTaaS platforms help teams correlate vulnerability data across assets and business units, improving prioritization and workflows.
Growing infrastructure expands exposure
Security teams in retail, financial services, government, technology, and manufacturing continue to face challenges in mapping IT assets and infrastructure. Average asset counts grew or remained stable in 2025, except in retail. Manufacturing recorded the sharpest increase, from 2,053 to 2,486 assets per organization.
Subdomains remained the largest asset category by volume, averaging about 40,000 per organization. Web applications also increased year over year, showing faster development cycles associated with AI coding assistants.
Critical and high-severity vulnerabilities accounted for 37% of findings across these industries. Manufacturing, technology, and government recorded the largest share of critical and high-severity findings. Retail and financial services remained below the overall average.
The technology sector accounted for the largest share of critical SQL injection findings, followed by financial services. Critical remote code execution findings were distributed more evenly across sectors.