TL;DR: 12 distinct 2026 CVEs are already being actively exploited in network-facing attacks, while only 8 are listed in CISA KEV, according to Proofpoint, and its telemetry shows attackers still rely on familiar phishing, authentication-bypass, and RCE playbooks despite a faster CVE pipeline. The operational issue is no longer novelty in attacker tradecraft, but the growing prioritisation gap created by exploitation outpacing enrichment and cataloguing.
At a glance
What this is: Proofpoint argues that AI-assisted vulnerability discovery is increasing CVE volume, but attacker behaviour remains familiar and opportunistic.
Why it matters: For IAM, NHI, and broader security teams, the key implication is that prioritisation based only on formal catalogues, scores, or disclosure timing is now too slow for internet-facing exposure.
By the numbers:
- Proofpoint telemetry shows 12 distinct 2026 CVEs being actively exploited in network-facing attacks, compared to the 8 currently listed on the CISA KEV catalog.
- Proofpoint's network sensor infrastructure spans over 5,000 sensors globally with more than 3 million alerts analyzed in 2026.
- NIST reported that CVE submissions in Q1 2026 were nearly one-third higher than the same quarter last year.
- CrowdStrike's 2026 Global Threat Report said zero-days exploited before public disclosure rose 42% year over year.
👉 Read Proofpoint's analysis of 2026 CVE exploitation trends and attacker behaviour
Context
AI-assisted vulnerability discovery is changing the volume of disclosed flaws faster than most prioritisation workflows can absorb, but it is not changing the basic attacker model. The primary problem is a widening gap between public disclosure, formal cataloguing, and real-world exploitation, especially for internet-facing systems where initial access can be converted quickly into broader compromise.
That matters to identity programmes because exposed systems increasingly sit on top of credential-bearing access paths, service accounts, and remote management interfaces. When defenders wait for enrichment, scoring, or catalogue inclusion, they leave the most valuable access surfaces exposed during the exact window attackers tend to exploit.
Proofpoint's article is best read as a telemetry-based warning rather than a vulnerability brief. The starting position is typical for modern enterprise defence: too much signal, too much exposure, and not enough time to treat every newly disclosed CVE as equally urgent.
Key questions
Q: What breaks when organisations wait for KEV before patching new CVEs?
A: Waiting for KEV creates a blind spot because exploitation often starts before formal catalogue inclusion. Teams that rely on KEV alone miss early scanning, active weaponisation, and high-risk internet-facing flaws that are already being used in the wild. Exposure-based triage plus live threat telemetry is a safer decision model.
Q: Why do AI-assisted attackers change vulnerability prioritisation?
A: AI-assisted attackers can test many combinations much faster than human teams can patch, which makes vulnerability chaining practical at scale. That means the question is no longer whether a flaw is individually severe. It is whether the flaw sits on a path that reaches production systems, privileged identities, or sensitive data.
Q: How do security teams know when a newly disclosed CVE deserves emergency treatment?
A: A CVE deserves emergency treatment when it is remotely exploitable, internet-facing, and paired with public proof-of-concept code or active exploitation signals. Those conditions shorten the attack window dramatically. Teams should weight exposed management interfaces, authentication bypasses, and RCE flaws above routine patch queues.
Q: Who is accountable when active exploitation is known but enrichment is still incomplete?
A: Accountability sits with the teams that own exposure, patching, and prioritisation decisions, not with the catalogue alone. When enrichment lags, governance must shift to risk ownership based on live telemetry and business criticality. Waiting for full metadata is a process choice, not a technical necessity.
Technical breakdown
Why CVE volume now outpaces enrichment workflows
CVE disclosure is only the first step in operational relevance. A vulnerability becomes actionable for defenders when it is enriched, scored, correlated to products in use, and mapped to exposure. Proofpoint's point is that this pipeline is breaking under volume, especially as NIST acknowledges backlog pressure in the National Vulnerability Database. That creates a timing problem: exploitation can begin before a flaw is fully classified, and automation built around catalogue completeness will lag behind attacker adoption.
Practical implication: prioritise new internet-facing CVEs from exploitability and exposure, not only from enrichment status or score.
How opportunistic exploitation chains still work in email and network paths
The report shows that attacker tradecraft remains stable even as the vulnerability set grows. In email campaigns, threat actors still use weaponised attachments, institution-themed lures, and downstream payload chains to gain initial access. In network telemetry, they still probe authentication bypasses, RCE flaws, and management interfaces that are exposed to the internet. The mechanism is simple: once a public proof-of-concept exists, attackers adapt it to an existing delivery system rather than inventing a new one.
Practical implication: treat public proof-of-concept availability as an escalation signal for both email and perimeter controls.
Why AI-assisted discovery changes defender workload first
The article draws a useful distinction between discovery and exploitation. Frontier models appear to be helping researchers and defenders find more bugs faster, but Proofpoint does not see a corresponding step-change in attacker technique. The security burden therefore shifts to defenders first: more candidate vulnerabilities, more incomplete metadata, and more decisions made before full context exists. This is a governance and operations problem as much as a technical one, because prioritisation rules must now work under uncertainty.
Practical implication: redesign patch triage so that incomplete data does not block action on high-risk, externally reachable assets.
Threat narrative
Attacker objective: The attacker objective is reliable initial access to exposed enterprise systems, followed by payload delivery and further compromise using familiar exploitation paths.
- Entry begins when attackers weaponise newly disclosed CVEs in phishing attachments or probe internet-facing management interfaces as soon as public exploit code appears.
- Escalation follows through authentication bypass, remote code execution, or shell security bypass, which converts exposure into code execution or trusted access.
- Impact is achieved by deploying backdoors, payloads, or follow-on tooling that enables persistence, lateral movement, or broader compromise.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Gravity SMTP CVE-2026-4020 API Keys Exposure — CVE-2026-4020 in Gravity SMTP exposes API keys via single HTTP request across 100,000 WordPress sites.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Exploitability now outruns catalogue certainty: the operational question is no longer whether a vulnerability exists, but whether it is already being used before formal enrichment catches up. That means teams that treat KEV, CVSS, or vendor advisories as sequential checkpoints are already behind the attacker timeline. Practitioners should reframe prioritisation around exposure plus exploit signals, not publication order.
Attackers still prefer familiar delivery chains: new CVEs do not imply new tradecraft. The report shows that email-borne malware delivery, authentication bypass, and RCE remain the dominant operational patterns because they are reliable, scalable, and easy to adapt. Security teams should stop looking for novelty in attacker behaviour where the real risk is repetition at higher volume.
Prioritisation debt is the new vulnerability debt: organisations are accumulating a governance backlog when they cannot translate telemetry into action quickly enough. That backlog becomes more dangerous as AI-assisted discovery increases the number of candidate flaws faster than enrichment systems can classify them. The practitioner conclusion is simple: exposure management must be driven by live exploitation evidence.
Identity-adjacent management interfaces are part of the same trust surface: the article's focus on mail platforms, remote access systems, and perimeter devices matters to IAM and NHI teams because those systems often anchor authentication, tokens, and administrative trust. When those surfaces are exposed, the issue is not only a software flaw but a potential credential and access path problem. Practitioners should treat exposed management planes as identity risk, not only infrastructure risk.
Proofpoint's telemetry supports a detection-first model for internet-facing CVEs: the gap between active exploitation and formal catalogue inclusion means that response maturity now depends on threat-intelligence-fed triage. That aligns with frameworks that emphasise continuous monitoring, access control, and incident prioritisation. Teams should build decisions around observable exploitation, not around the assumption that listed means actionable.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- For a deeper view of recurring identity failure modes, see The 52 NHI breaches Report for case-level patterns and control breakdowns.
What this signals
Prioritisation will keep shifting from completeness to confidence: as CVE volume rises and enrichment lags, programmes will need a decision model that tolerates incomplete metadata. That means better exposure inventory, faster compensating controls, and closer alignment between vulnerability management and incident response.
The practical signal for identity and security teams is that exposed management planes, mail systems, and remote access components now sit closer to the trust boundary than many inventories assume. If a system can anchor authentication or privileged administration, it deserves the same urgency as other identity-critical assets.
Prioritisation debt: when organisations wait for formal catalogue inclusion before acting, they accumulate a hidden risk backlog that attackers can exploit. Linking patch triage to live exploitation signals and exposure context is now a governance requirement, not an optimisation exercise.
For practitioners
- Prioritise exposed CVEs by exploit evidence Move internet-facing systems to the front of patch queues when telemetry, proof-of-concept code, or active scanning indicates exploitation. Do not wait for KEV inclusion or full enrichment before taking action on remote code execution or authentication bypass flaws.
- Rebuild email delivery controls around weaponised attachment patterns Tune filtering and sandboxing for RTF, OLE, and LNK chains, especially where campaigns use institutional lures and legitimate-looking document formats. Pair delivery controls with detection for backdoor-style post-exploitation behaviour.
- Treat management interfaces as identity-risk assets Inventory and isolate remote access platforms, mail administration surfaces, and perimeter management consoles because they often sit on top of privileged access paths. Apply stronger authentication, tighter exposure controls, and separate monitoring for those systems.
- Build triage rules that survive incomplete enrichment Use live exploitation signals, vendor advisories, and internet exposure data to make prioritisation decisions when NVD enrichment is delayed or missing. The goal is not perfect metadata, but fast action on the systems attackers are already touching.
- Shorten response SLAs for public PoC conditions Assume high-severity remotely exploitable flaws with public proof-of-concept code are being attempted within days, not weeks. Pre-stage compensating controls such as IPS rules, hardening guidance, and emergency maintenance windows before exposure becomes widespread.
Key takeaways
- Proofpoint's core finding is that vulnerability discovery is accelerating faster than enrichment, but attacker playbooks remain familiar and opportunistic.
- The evidence gap between active exploitation and CISA KEV inclusion shows why catalogue-based prioritisation alone no longer captures real risk.
- Security teams should move to exposure-and-exploit based triage, especially for internet-facing management, mail, and remote access systems.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article centers on exploitation, initial access, and post-compromise movement patterns. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is central to identifying active exploitation before catalogue inclusion. |
| NIST SP 800-53 Rev 5 | SI-2 | Patch and flaw remediation controls address the delayed-remediation risk in the article. |
| CIS Controls v8 | CIS-7 , Continuous Vulnerability Management | The report is fundamentally about prioritising and remediating vulnerabilities under time pressure. |
Map exposed CVEs to ATT&CK tactics and prioritise mitigations where initial access and lateral movement are already observed.
Key terms
- Exploitability signal: Any indicator that a vulnerability is likely to be used soon or is already being used, such as exploitability ratings, proof-of-concept code, or catalog membership. These signals help convert a long vulnerability list into a shorter response queue.
- Prioritisation Debt: Prioritisation debt is the backlog created when security teams delay action because they are waiting for complete data, formal scoring, or catalogue status. In practice, it accumulates fastest on internet-facing assets where attacker timelines are shorter than governance workflows.
- Internet-Facing Exposure: Internet-facing exposure is the condition where a system, interface, or management plane is reachable from the public internet. In vulnerability management, that exposure sharply increases urgency because scanning, exploitation, and follow-on compromise can begin almost immediately after disclosure.
- Weaponised Attachment Chain: A weaponised attachment chain is a delivery pattern where a malicious document or embedded object starts a multi-stage infection sequence. It often combines phishing lures, code execution, and secondary payload retrieval, making email a durable initial access path.
What's in the full report
Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:
- Telemetry-backed breakdown of which 2026 CVEs are active in email versus network exploitation paths
- Campaign-level detail on the TA422 and TA406 exploitation chains, including payload progression and delivery patterns
- The full table of observed CVEs, affected products, and KEV status across the 5,000-plus sensor network
- Defensive guidance tied to specific vulnerability classes, including IPS, hardening, and prioritisation triggers
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to broader security operations and risk decisions.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org