Qualys: 88% of weaponized CVEs patched slower than exploited, manual remediation hits hard ceiling

Qualys analyzed over a billion CISA KEV remediation records from 10,000 organizations across four years and found the operational model of enterprise vulnerability management is mathematically broken. Despite teams closing 6.5x more tickets than in 2022, the share of critical vulnerabilities still open at day seven rose from 56% to 63%. Of 52 high-profile weaponized CVEs studied, 88% were patched slower than they were exploited, and half were weaponized before any patch existed. Spring4Shell averaged 266 days to remediate against a two-day pre-disclosure exploit window; Cisco IOS XE averaged 263 days against a one-month pre-disclosure window.

The report introduces “Risk Mass” (vulnerable assets multiplied by days exposed) and “Average Window of Exposure” as more honest metrics than CVE counts or median close times. For Follina, pre-disclosure blind spots and long-tail patching together accounted for 80% of total exposure, while the measured sprint covered less than 20%. Infrastructure systems show median remediation of 232 days versus under 14 for endpoints, exposing what Qualys calls the “Manual Tax” — the multiplier from assets human workflows cannot reach. Meanwhile, of 48,172 CVEs disclosed in 2025, only 357 were remotely exploitable and actively weaponized, meaning teams burn cycles on theoretical risk while genuine gaps persist.

The vendor’s prescription, unsurprisingly aligned with its own product pitch, is an autonomous “Risk Operations Center” that replaces scan-and-ticket workflows with machine-readable decision logic, exploitability validation in-environment, and automated response. The underlying argument stands independent of the sales angle: with Google M-Trends pegging average Time-to-Exploit at negative seven days and offensive AI agents compressing the attack chain further, human-paced remediation cannot close the gap by hiring or process maturity alone.