Qualys Study Shows 88% of Critical KEVs Remain Unpatched, Exposing Organizations to Prolonged Exploitation
What Happened — Qualys analyzed over one billion CISA Known Exploited Vulnerability (KEV) remediation records from 10 000 organizations (2022‑2025). Manual patching kept pace with attackers only 12% of the time; 88% of critical, actively weaponized flaws were left open, and half were weaponized before a patch existed. A small 15% of firms that fully automated remediation patched by the time a KEV was added, proving the gap can be closed with a new model.
Why It Matters for TPRM —
- Persistent exposure to weaponized CVEs inflates risk mass across the supply chain.
- Traditional MTTR metrics hide the true “Average Window of Exposure” (AWE), under‑estimating risk.
- Vendors that rely on manual remediation pipelines may be unable to protect their customers against fast‑moving exploits.
Who Is Affected — All enterprise sectors that depend on third‑party software and services, especially those using legacy assets, on‑premise infrastructure, or SaaS solutions lacking automated patching.
Recommended Actions —
- Review third‑party remediation capabilities; prioritize vendors with automated, intelligence‑driven patching.
- Incorporate AWE, Risk Mass, and Manual Tax metrics into vendor risk assessments.
- Require proof‑of‑concept confirmation of exploitability for critical vulnerabilities.
Technical Notes — The study highlights a structural “human ceiling” where vulnerability volume outpaces manual processes. Attack vectors are primarily vulnerability exploits (weaponized CVEs such as Follina). New metrics (AWE, Risk Mass, Manual Tax, Confirmation Gap) quantify exposure beyond traditional MTTR. Source: Qualys Blog – The Broken Physics of Remediation