Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI-assisted CVE discovery and the exploitation gap teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: 12 distinct 2026 CVEs are already being actively exploited in network-facing attacks, while only 8 are listed in CISA KEV, according to Proofpoint, and its telemetry shows attackers still rely on familiar phishing, authentication-bypass, and RCE playbooks despite a faster CVE pipeline. The operational issue is no longer novelty in attacker tradecraft, but the growing prioritisation gap created by exploitation outpacing enrichment and cataloguing.

NHIMG editorial — based on content published by Proofpoint: The CVE Landscape Has Changed. The Threat Actors Haven't

By the numbers:

  • Proofpoint telemetry shows 12 distinct 2026 CVEs being actively exploited in network-facing attacks, compared to the 8 currently listed on the CISA KEV catalog.
  • Proofpoint's network sensor infrastructure spans over 5,000 sensors globally with more than 3 million alerts analyzed in 2026.
  • NIST reported that CVE submissions in Q1 2026 were nearly one-third higher than the same quarter last year.

Questions worth separating out

Q: What breaks when organisations wait for KEV before patching new CVEs?

A: Waiting for KEV creates a blind spot because exploitation often starts before formal catalogue inclusion.

Q: Why do AI-assisted attackers change vulnerability prioritisation?

A: AI-assisted attackers can test many combinations much faster than human teams can patch, which makes vulnerability chaining practical at scale.

Q: How do security teams know when a newly disclosed CVE deserves emergency treatment?

A: A CVE deserves emergency treatment when it is remotely exploitable, internet-facing, and paired with public proof-of-concept code or active exploitation signals.

Practitioner guidance

  • Prioritise exposed CVEs by exploit evidence Move internet-facing systems to the front of patch queues when telemetry, proof-of-concept code, or active scanning indicates exploitation.
  • Rebuild email delivery controls around weaponised attachment patterns Tune filtering and sandboxing for RTF, OLE, and LNK chains, especially where campaigns use institutional lures and legitimate-looking document formats.
  • Treat management interfaces as identity-risk assets Inventory and isolate remote access platforms, mail administration surfaces, and perimeter management consoles because they often sit on top of privileged access paths.

What's in the full report

Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:

  • Telemetry-backed breakdown of which 2026 CVEs are active in email versus network exploitation paths
  • Campaign-level detail on the TA422 and TA406 exploitation chains, including payload progression and delivery patterns
  • The full table of observed CVEs, affected products, and KEV status across the 5,000-plus sensor network
  • Defensive guidance tied to specific vulnerability classes, including IPS, hardening, and prioritisation triggers

👉 Read Proofpoint's analysis of 2026 CVE exploitation trends and attacker behaviour →

AI-assisted CVE discovery and the exploitation gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Exploitability now outruns catalogue certainty: the operational question is no longer whether a vulnerability exists, but whether it is already being used before formal enrichment catches up. That means teams that treat KEV, CVSS, or vendor advisories as sequential checkpoints are already behind the attacker timeline. Practitioners should reframe prioritisation around exposure plus exploit signals, not publication order.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.

A question worth separating out:

Q: Who is accountable when active exploitation is known but enrichment is still incomplete?

A: Accountability sits with the teams that own exposure, patching, and prioritisation decisions, not with the catalogue alone. When enrichment lags, governance must shift to risk ownership based on live telemetry and business criticality. Waiting for full metadata is a process choice, not a technical necessity.

👉 Read our full editorial: AI-assisted CVE discovery is widening the exploitation gap



   
ReplyQuote
Share: