Time to Exploit Plummets as N-Day Flaws Dominate

The time between vulnerability disclosure and exploitation has plunged 94% over the past five years as threat actors weaponize so-called “n-days,” according to a new Flashpoint study.

The threat intelligence vendor claimed that “time to exploit” (TTE) dropped from 745 days in 2020 to just 44 days last year, dramatically reducing the time security and IT teams have to patch.

Driving this trend is the growing use of n-day exploits, which relate to vulnerabilities that have been publicly disclosed but remain unpatched by organizations.

Flashpoint claimed that n-days now represent over 80% of the CVEs listed in its Known Exploited Vulnerabilities (KEV) database, VulnDB.

Read more on vulnerability exploitation: Microsoft Fixes Six Zero Day Vulnerability in February Patch Tuesday.

Although zero-day vulnerabilities and exploits grab more headlines, n-days make more sense to threat actors as they require much less time, effort and expense to research.

“Adversaries have gained a significant advantage through the rapid weaponization of researcher-published proof-of-concept (PoC) code. When a fully functional exploit is released alongside a vulnerability disclosure, it becomes a ‘turn-key’ solution for attackers,” the report noted.

“By combining these ready-made exploits with internet-wide scanning tools like Shodan or FOFA, even unsophisticated threat actors can conduct mass exploitation across large segments of the internet in hours.”

Security and perimeter software is a growing target for n-day attacks, Flashpoint warned. The firm said it observed 52 zero-day and 37 n-day attacks targeted these tools in 2025.

Just this week, it emerged that a likely nation-state actor had exploited two critical zero-day bugs in Ivanti Endpoint Manager Mobile (EPMM) to compromise several government agencies.

Visibility Issues Compound Security Challenges

The challenges facing security teams in this regard are exacerbated by two issues related to visibility, Flashpoint claimed.

The first is asset visibility – Flashpoint claimed that “most” large organizations may not have more than a quarter of their total assets inventoried.

The second it dubbed a “CVE blind spot” arising from the fact that most security tools are dependent on CVEs.

“However, thousands of vulnerabilities are disclosed every year that never receive an official CVE ID,” the report added. “These ‘missing’ vulnerabilities represent a massive blind spot for standard scanners.”

Long-running resource problems with the National Vulnerability Database (NVD) have compounded the problem, leading to delays in processing CVEs.